Restic: Difference between revisions
Add clarification to further modifications needed for wrapper |
m added section for connecting to a REST server with secrets Tags: Mobile edit Mobile web edit Advanced mobile edit Visual edit |
||
| (5 intermediate revisions by 3 users not shown) | |||
| Line 16: | Line 16: | ||
NixOS provides options to create a systemd timer and a service that will create the backups. See [https://search.nixos.org/options?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups options] and "[https://restic.readthedocs.io/en/stable/040_backup.html Backing up]" in the restic documentation. | NixOS provides options to create a systemd timer and a service that will create the backups. See [https://search.nixos.org/options?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups options] and "[https://restic.readthedocs.io/en/stable/040_backup.html Backing up]" in the restic documentation. | ||
Note that NixOS includes an option to automatically create the repository by specifying <code>services.restic.backups.<name>.initialize = true</code> | Note that NixOS includes an option to automatically create the repository by specifying <code>services.restic.backups.<name>.initialize = true;</code>, as well as a wrapper to run restic in the same environment as the systemd jobs in <code>services.restic.backups.<name>.createWrapper</code> | ||
=== Restic Rest Server === | === Restic Rest Server === | ||
Restic Rest Server is one of the options for a remote repository<ref>https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#rest-server</ref>. It can be installed by enabling the <code>services.restic.server.enable</code> option. By default the server requires either providing it with <code>htpasswd</code> file or running it without authentication. If provided, the username and password pairs <code>htpassd</code> file will be used to authenticate the restic clients connecting to the server. To run the server without authentication, you can pass the flag using the <code>extraFlags</code> option like this: <code>services.restic.server.extraFlags = [ "--no-auth" ];</code> | Restic Rest Server is one of the options for a remote repository<ref>https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#rest-server</ref>. It can be installed by enabling the <code>services.restic.server.enable</code> option. By default the server requires either providing it with <code>htpasswd</code> file or running it without authentication. If provided, the username and password pairs <code>htpassd</code> file will be used to authenticate the restic clients connecting to the server. To run the server without authentication, you can pass the flag using the <code>extraFlags</code> option like this: <code>services.restic.server.extraFlags = [ "--no-auth" ];</code> | ||
==== Using a htpasswd file ==== | |||
A htpasswd file must be created using the <code>apacheHttpd</code> package. Assuming that you do not already have this package, you may run the following to generate the file using nix shell. Note that the file will be hidden due to the "." at the start of the file. | |||
<syntaxhighlight lang="console"> | |||
$ nix shell nixpkgs#apacheHttpd -c htpasswd -B -c .htpasswd YOUR_USER | |||
</syntaxhighlight>To declaratively use the <code>htpasswd</code> file you will need to use a [[Comparison of secret managing schemes|secret management method]]. The following example uses [https://github.com/Mic92/sops-nix sops-nix]. | |||
{{File|3={config,inputs,...}: | |||
{ | |||
imports = | |||
[ | |||
inputs.sops-nix.nixosModules.sops | |||
]; | |||
sops = { | |||
age.keyFile = "/home/YOUR_USER/.config/sops/age/keys.txt"; | |||
defaultSopsFile = ./secrets.yaml; | |||
secrets."restic_server/password" = { | |||
owner = "restic"; | |||
group = "restic"; | |||
mode = "0400"; | |||
}; | |||
}; | |||
services.restic.server = { | |||
enable = true; | |||
htpasswd-file = config.sops.secrets."restic_server/password".path; | |||
}; | |||
}|name=configuration.nix|lang=nix}} | |||
==== Connecting a client ==== | |||
If using a <code>htpasswd</code> file, you will need to pass the URL to the configuration in this format: | |||
<code>rest:<nowiki>https://user:pass@host:port/</nowiki></code> | |||
The user will need to be the same user as used when you created the <code>htpasswd</code> file. If your password includes special characters you will need to [[wikipedia:Percent-encoding|percent-encode]] the characters within the URL. See additional information in the [https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#rest-server restic docs REST server section]. | |||
Below is an example of a configuration that connects to a remote repository using sops-nix for secrets. | |||
{{File|3={config, inputs, pkgs, ...}: | |||
{ | |||
imports = | |||
[ | |||
inputs.sops-nix.nixosModules.sops | |||
]; | |||
sops = { | |||
age.keyFile = "/home/YOUR_USER/.config/sops/age/keys.txt"; | |||
defaultSopsFile = ./secrets.yaml; | |||
secrets = { | |||
"restic/repo_password" = {}; | |||
"restic/server_url" = {}; | |||
}; | |||
}; | |||
# For debugging | |||
environment.systemPackages = with pkgs; [ | |||
restic | |||
]; | |||
services.restic.backups.restic_repo_example = { | |||
initialize = true; | |||
paths = [ | |||
"/home/YOUR_USER" | |||
]; | |||
pruneOpts = [ | |||
"--keep-daily 7" | |||
"--keep-weekly 5" | |||
"--keep-monthly 12" | |||
"--keep-yearly 75" | |||
]; | |||
timerConfig = { | |||
OnCalendar = "daily"; | |||
Persistent = true; | |||
}; | |||
# Encryption key for repository | |||
passwordFile = config.sops.secrets."restic/repo_password".path; | |||
# Server URL | |||
repositoryFile = config.sops.secrets."restic/server_url".path; | |||
}; | |||
}|name=configuration.nix|lang=nix}} | |||
== Security Wrapper == | == Security Wrapper == | ||
If you want to back up your system [https://restic.readthedocs.io/en/latest/080_examples.html#backing-up-your-system-without-running-restic-as-root without running restic as root], you can create a user and security wrapper to give restic the capability to read anything on the filesystem as if it were running as root. The following will create the wrapper at <code>/run/wrappers/bin/restic</code> | If you want to back up your system [https://restic.readthedocs.io/en/latest/080_examples.html#backing-up-your-system-without-running-restic-as-root without running restic as root], you can create a user and security wrapper to give restic the capability to read anything on the filesystem as if it were running as root. The following will create the wrapper at <code>/run/wrappers/bin/restic</code>: | ||
{{File|3={ | |||
users = { | |||
users.restic = { | |||
group = "restic"; | |||
isSystemUser = true; | |||
}; | |||
}; | groups.restic = {}; | ||
}; | |||
security.wrappers.restic = { | |||
source = lib.getExe pkgs.restic; | |||
owner = "restic"; | |||
group = "restic"; | |||
permissions = "500"; # or u=rx,g=,o= | |||
capabilities = "cap_dac_read_search+ep"; | |||
}; | |||
}|name=configuration.nix|lang=nix}} | |||
} | |||
Note that you will have to set your Restic configuration to use the wrapper using the [https://search.nixos.org/options?channel=unstable&show=services.restic.backups.%3Cname%3E.package&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups.<name>.package] option, for example <ref>https://github.com/NixOS/nixpkgs/issues/341999#issuecomment-2558504576</ref>: | |||
{{File|3={ | |||
services.restic.backups.foo = { | |||
# ... | |||
user = "restic"; | |||
package = pkgs.writeShellScriptBin "restic" '' | |||
exec /run/wrappers/bin/restic "$@" | |||
''; | |||
}; | |||
}|name=configuration.nix|lang=nix}} | |||
[[Category:Applications]] | [[Category:Applications]] | ||
[[Category:Backup]] | [[Category:Backup]] | ||