Restic: Difference between revisions
Add clarification to further modifications needed for wrapper |
improve wrapper example config |
||
| (One intermediate revision by one other user not shown) | |||
| Line 16: | Line 16: | ||
NixOS provides options to create a systemd timer and a service that will create the backups. See [https://search.nixos.org/options?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups options] and "[https://restic.readthedocs.io/en/stable/040_backup.html Backing up]" in the restic documentation. | NixOS provides options to create a systemd timer and a service that will create the backups. See [https://search.nixos.org/options?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups options] and "[https://restic.readthedocs.io/en/stable/040_backup.html Backing up]" in the restic documentation. | ||
Note that NixOS includes an option to automatically create the repository by specifying <code>services.restic.backups.<name>.initialize = true</code> | Note that NixOS includes an option to automatically create the repository by specifying <code>services.restic.backups.<name>.initialize = true;</code>, as well as a wrapper to run restic in the same environment as the systemd jobs in <code>services.restic.backups.<name>.createWrapper</code> | ||
=== Restic Rest Server === | === Restic Rest Server === | ||
| Line 27: | Line 27: | ||
If you want to back up your system [https://restic.readthedocs.io/en/latest/080_examples.html#backing-up-your-system-without-running-restic-as-root without running restic as root], you can create a user and security wrapper to give restic the capability to read anything on the filesystem as if it were running as root. The following will create the wrapper at <code>/run/wrappers/bin/restic</code> | If you want to back up your system [https://restic.readthedocs.io/en/latest/080_examples.html#backing-up-your-system-without-running-restic-as-root without running restic as root], you can create a user and security wrapper to give restic the capability to read anything on the filesystem as if it were running as root. The following will create the wrapper at <code>/run/wrappers/bin/restic</code> | ||
< | <syntaxhighlight lang="nix"> | ||
users | users = { | ||
users.restic = { | |||
group = "restic"; | |||
isSystemUser = true; | |||
}; | |||
groups.restic = {}; | |||
}; | }; | ||
security.wrappers.restic = { | security.wrappers.restic = { | ||
source = | source = lib.getExe pkgs.restic; | ||
owner = "restic"; | owner = "restic"; | ||
group = " | group = "restic"; | ||
permissions = "u= | permissions = "500"; # or u=rx,g=,o= | ||
capabilities = "cap_dac_read_search | capabilities = "cap_dac_read_search+ep"; | ||
}; | }; | ||
</ | </syntaxhighlight> | ||
Note that you will have to set your Restic configuration to use the wrapper using the [https://search.nixos.org/options?channel=unstable&show=services.restic.backups.%3Cname%3E.package&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups.<name>.package] option, for example <ref>https://github.com/NixOS/nixpkgs/issues/341999#issuecomment-2558504576</ref>, | Note that you will have to set your Restic configuration to use the wrapper using the [https://search.nixos.org/options?channel=unstable&show=services.restic.backups.%3Cname%3E.package&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups.<name>.package] option, for example <ref>https://github.com/NixOS/nixpkgs/issues/341999#issuecomment-2558504576</ref>, | ||
Latest revision as of 18:37, 2 November 2025
Restic is a fast and secure backup program. NixOS packages both restic client (program used to make backups) and restic-rest-server (one of the backends to store the backups remotely, "repositories" in restic parlance).
Installing
If you want to manually create restic backups, add restic to environment.systemPackages like so:
environment.systemPackages = with pkgs; [
restic
];
Configuring
Restic
NixOS provides options to create a systemd timer and a service that will create the backups. See services.restic.backups options and "Backing up" in the restic documentation.
Note that NixOS includes an option to automatically create the repository by specifying services.restic.backups.<name>.initialize = true;, as well as a wrapper to run restic in the same environment as the systemd jobs in services.restic.backups.<name>.createWrapper
Restic Rest Server
Restic Rest Server is one of the options for a remote repository[1]. It can be installed by enabling the services.restic.server.enable option. By default the server requires either providing it with htpasswd file or running it without authentication. If provided, the username and password pairs htpassd file will be used to authenticate the restic clients connecting to the server. To run the server without authentication, you can pass the flag using the extraFlags option like this: services.restic.server.extraFlags = [ "--no-auth" ];
Passing the htpasswd file should be done using one of the secret management methods.
Security Wrapper
If you want to back up your system without running restic as root, you can create a user and security wrapper to give restic the capability to read anything on the filesystem as if it were running as root. The following will create the wrapper at /run/wrappers/bin/restic
users = {
users.restic = {
group = "restic";
isSystemUser = true;
};
groups.restic = {};
};
security.wrappers.restic = {
source = lib.getExe pkgs.restic;
owner = "restic";
group = "restic";
permissions = "500"; # or u=rx,g=,o=
capabilities = "cap_dac_read_search+ep";
};
Note that you will have to set your Restic configuration to use the wrapper using the services.restic.backups.<name>.package option, for example [2],
services.restic.backups.foo = {
# ...
user = "restic";
package = pkgs.writeShellScriptBin "restic" ''
exec /run/wrappers/bin/restic "$@"
'';
};