Restic: Difference between revisions

(5 intermediate revisions by 4 users not shown)

Line 1:

Restic is a fast and secure backup program.

[https://restic.net/ Restic] is a fast and secure backup program. NixOS packages both <code>restic</code> client (program used to make backups) and <code>restic-rest-server</code> (one of the backends to store the backups remotely, "repositories" in restic parlance).

== Installing ==

~~Add~~ <code>restic</code> to <code>environment.systemPackages</code> like so:

If you want to manually create restic backups, add <code>restic</code> to <code>environment.systemPackages</code> like so:

Line 10:

];

</syntaxHighlight>

== Configuring ==

=== Restic ===

NixOS provides options to create a systemd timer and a service that will create the backups. See [https://search.nixos.org/options?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups options] and "[https://restic.readthedocs.io/en/stable/040_backup.html Backing up]" in the restic documentation.

Note that NixOS includes an option to automatically create the repository by specifying <code>services.restic.backups.<name>.initialize = true;</code>, as well as a wrapper to run restic in the same environment as the systemd jobs in <code>services.restic.backups.<name>.createWrapper</code>

=== Restic Rest Server ===

Restic Rest Server is one of the options for a remote repository<ref>https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#rest-server</ref>. It can be installed by enabling the <code>services.restic.server.enable</code> option. By default the server requires either providing it with <code>htpasswd</code> file or running it without authentication. If provided, the username and password pairs <code>htpassd</code> file will be used to authenticate the restic clients connecting to the server. To run the server without authentication, you can pass the flag using the <code>extraFlags</code> option like this: <code>services.restic.server.extraFlags = [ "--no-auth" ];</code>

Passing the <code>htpasswd</code> file should be done using one of the [[Comparison of secret managing schemes|secret management methods]].

== Security Wrapper ==

Line 15:

Line 27:

If you want to back up your system [https://restic.readthedocs.io/en/latest/080_examples.html#backing-up-your-system-without-running-restic-as-root without running restic as root], you can create a user and security wrapper to give restic the capability to read anything on the filesystem as if it were running as root. The following will create the wrapper at <code>/run/wrappers/bin/restic</code>

<~~syntaxHighlight~~ lang=nix>

users.users.restic = {

users = {

~~isNormalUser~~ = ~~true~~;

users.restic = {

group = "restic";

isSystemUser = true;

};

groups.restic = {};

};

security.wrappers.restic = {

source = ~~"${~~pkgs.restic~~.out}/bin/restic"~~;

source = lib.getExe pkgs.restic;

owner = "restic";

group = "~~users~~";

group = "restic";

permissions = "u=~~rwx~~,g=,o=";

permissions = "500"; # or u=rx,g=,o=

capabilities = "cap_dac_read_search=+ep";

capabilities = "cap_dac_read_search+ep";

};

</syntaxhighlight>

Note that you will have to set your Restic configuration to use the wrapper using the [https://search.nixos.org/options?channel=unstable&show=services.restic.backups.%3Cname%3E.package&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups.<name>.package] option, for example <ref>https://github.com/NixOS/nixpkgs/issues/341999#issuecomment-2558504576</ref>,

services.restic.backups.foo = {

# ...

user = "restic";

package = pkgs.writeShellScriptBin "restic" ''

exec /run/wrappers/bin/restic "$@"

'';

};

</syntaxHighlight>

[[Category:Applications]]

[[Category:Backup]]

@@ Line 1: / Line 1: @@
-Restic is a fast and secure backup program.
+[https://restic.net/ Restic] is a fast and secure backup program. NixOS packages both <code>restic</code> client (program used to make backups) and <code>restic-rest-server</code> (one of the backends to store the backups remotely, "repositories" in restic parlance).
 == Installing ==
-Add <code>restic</code> to <code>environment.systemPackages</code> like so:
+If you want to manually create restic backups, add <code>restic</code> to <code>environment.systemPackages</code> like so:
 <syntaxHighlight lang=nix>
@@ Line 10: / Line 10: @@
 ];
 </syntaxHighlight>
+== Configuring ==
+=== Restic ===
+NixOS provides options to create a systemd timer and a service that will create the backups. See [https://search.nixos.org/options?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups options] and "[https://restic.readthedocs.io/en/stable/040_backup.html Backing up]" in the restic documentation.
+Note that NixOS includes an option to automatically create the repository by specifying     <code>services.restic.backups.<name>.initialize = true;</code>, as well as a wrapper to run restic in the same environment as the systemd jobs in <code>services.restic.backups.<name>.createWrapper</code>
+=== Restic Rest Server ===
+Restic Rest Server is one of the options for a remote repository<ref>https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#rest-server</ref>. It can be installed by enabling the <code>services.restic.server.enable</code> option. By default the server requires either providing it with <code>htpasswd</code> file or running it without authentication. If provided, the username and password pairs <code>htpassd</code> file will be used to authenticate the restic clients connecting to the server. To run the server without authentication, you can pass the flag using the <code>extraFlags</code> option like this: <code>services.restic.server.extraFlags = [ "--no-auth" ];</code>
+Passing the <code>htpasswd</code> file should be done using one of the [[Comparison of secret managing schemes|secret management methods]].
 == Security Wrapper ==
@@ Line 15: / Line 27: @@
 If you want to back up your system [https://restic.readthedocs.io/en/latest/080_examples.html#backing-up-your-system-without-running-restic-as-root without running restic as root], you can create a user and security wrapper to give restic the capability to read anything on the filesystem as if it were running as root. The following will create the wrapper at <code>/run/wrappers/bin/restic</code>
-<syntaxHighlight lang=nix>
+<syntaxhighlight lang="nix">
-users.users.restic = {
+users = {
-   isNormalUser = true;
+  users.restic = {
+    group = "restic";
+    isSystemUser = true;
+  };
+   groups.restic = {};
 };
 security.wrappers.restic = {
-   source = "${pkgs.restic.out}/bin/restic";
+   source = lib.getExe pkgs.restic;
    owner = "restic";
-   group = "users";
+   group = "restic";
-   permissions = "u=rwx,g=,o=";
+   permissions = "500"; # or u=rx,g=,o=
-   capabilities = "cap_dac_read_search=+ep";
+   capabilities = "cap_dac_read_search+ep";
+};
+</syntaxhighlight>
+Note that you will have to set your Restic configuration to use the wrapper using the [https://search.nixos.org/options?channel=unstable&show=services.restic.backups.%3Cname%3E.package&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups.<name>.package] option, for example <ref>https://github.com/NixOS/nixpkgs/issues/341999#issuecomment-2558504576</ref>,
+<syntaxHighlight lang=nix>
+services.restic.backups.foo = {
+  # ...
+  user = "restic";
+  package = pkgs.writeShellScriptBin "restic" ''
+    exec /run/wrappers/bin/restic "$@"
+  '';
 };
 </syntaxHighlight>
+[[Category:Applications]]
+[[Category:Backup]]