Restic: Difference between revisions

Line 21:

Restic Rest Server is one of the options for a remote repository<ref>https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#rest-server</ref>. It can be installed by enabling the <code>services.restic.server.enable</code> option. By default the server requires either providing it with <code>htpasswd</code> file or running it without authentication. If provided, the username and password pairs <code>htpassd</code> file will be used to authenticate the restic clients connecting to the server. To run the server without authentication, you can pass the flag using the <code>extraFlags</code> option like this: <code>services.restic.server.extraFlags = [ "--no-auth" ];</code>

~~Passing the <code>htpasswd</code> file should be done using one of the [[Comparison of secret managing schemes|secret management methods]].~~

==== Using a htpasswd file ====

==== ~~Creating~~ a htpasswd file ====

A htpasswd file must be created using the <code>apacheHttpd</code> package. Assuming that you do not already have this package, you may run the following to generate the file using nix shell. Note that the file will be hidden due to the "." at the start of the file.

Line 29:

Line 27:

$ nix shell nixpkgs#apacheHttpd -c htpasswd -B -c .htpasswd YOUR_USERNAME

</syntaxhighlight>

~~</syntaxhighlight>~~

To declaratively use the <code>htpasswd</code> file you will need to use a [[Comparison of secret managing schemes|secret management method]]. The following example uses [https://github.com/Mic92/sops-nix sops-nix].

{{File|3={config,inputs,...}:

{

imports =

[

inputs.sops-nix.nixosModules.sops

];

sops = {

age.keyFile = "/home/YOUR_USER/.config/sops/age/keys.txt";

defaultSopsFile = ./secrets.yaml;

secrets."restic_server/password" = {

owner = "restic";

group = "restic";

mode = "0400";

};

services.restic.server = {

enable = true;

htpasswd-file = config.sops.secrets."restic_server/password".path;

};

}|name=configuration.nix|lang=nix}}

== Security Wrapper ==

If you want to back up your system [https://restic.readthedocs.io/en/latest/080_examples.html#backing-up-your-system-without-running-restic-as-root without running restic as root], you can create a user and security wrapper to give restic the capability to read anything on the filesystem as if it were running as root. The following will create the wrapper at <code>/run/wrappers/bin/restic</code>

If you want to back up your system [https://restic.readthedocs.io/en/latest/080_examples.html#backing-up-your-system-without-running-restic-as-root without running restic as root], you can create a user and security wrapper to give restic the capability to read anything on the filesystem as if it were running as root. The following will create the wrapper at <code>/run/wrappers/bin/restic</code>:

{{File|3={

users = {

users.restic = {

group = "restic";

isSystemUser = true;

};

groups.restic = {};

};

~~<syntaxhighlight lang~~=~~"nix">~~

security.wrappers.restic = {

~~users~~ = {

source = lib.getExe pkgs.restic;

~~users~~.restic = {

owner = "restic";

group = "restic";

~~isSystemUser~~ = ~~true~~;

permissions = "500"; # or u=rx,g=,o=

capabilities = "cap_dac_read_search+ep";

};

~~groups.restic = {~~};

}|name=configuration.nix|lang=nix}}

};

~~security.wrappers.restic~~ = {

~~source = lib.getExe pkgs.restic;~~

~~owner = "restic";~~

~~group = "restic";~~

~~permissions = "500"; # or u=rx,g=,o=~~

~~capabilities = "cap_dac_read_search+ep";~~

};

~~</syntaxhighlight>~~

~~Note that you will have to set your Restic~~ configuration ~~to use the wrapper using the [https://search~~.nixos.org/options?channel=unstable&show=services.restic.backups.%3Cname%3E.package&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups.<name>.package] option, for example <ref>https://github.com/NixOS/nixpkgs/issues/341999#issuecomment-2558504576</ref>,

~~<syntaxHighlight~~ lang=nix>

~~services.restic.backups.foo = {~~

~~# ...~~

~~user = "restic";~~

~~package = pkgs.writeShellScriptBin "restic" ''~~

~~exec /run/wrappers/bin/restic "$@"~~

~~'';~~

};

~~</syntaxHighlight>~~

Note that you will have to set your Restic configuration to use the wrapper using the [https://search.nixos.org/options?channel=unstable&show=services.restic.backups.%3Cname%3E.package&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups.<name>.package] option, for example <ref>https://github.com/NixOS/nixpkgs/issues/341999#issuecomment-2558504576</ref>:

{{File|3={

services.restic.backups.foo = {

# ...

user = "restic";

package = pkgs.writeShellScriptBin "restic" ''

exec /run/wrappers/bin/restic "$@"

'';

};

}|name=configuration.nix|lang=nix}}

[[Category:Applications]]

[[Category:Backup]]

@@ Line 21: / Line 21: @@
 Restic Rest Server is one of the options for a remote repository<ref>https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#rest-server</ref>. It can be installed by enabling the <code>services.restic.server.enable</code> option. By default the server requires either providing it with <code>htpasswd</code> file or running it without authentication. If provided, the username and password pairs <code>htpassd</code> file will be used to authenticate the restic clients connecting to the server. To run the server without authentication, you can pass the flag using the <code>extraFlags</code> option like this: <code>services.restic.server.extraFlags = [ "--no-auth" ];</code>
-Passing the <code>htpasswd</code> file should be done using one of the [[Comparison of secret managing schemes|secret management methods]].
+==== Using a htpasswd file ====
-==== Creating a htpasswd file ====
 A htpasswd file must be created using the <code>apacheHttpd</code> package. Assuming that you do not already have this package, you may run the following to generate the file using nix shell. Note that the file will be hidden due to the "." at the start of the file.
@@ Line 29: / Line 27: @@
 <syntaxhighlight lang="console">
 $ nix shell nixpkgs#apacheHttpd -c htpasswd -B -c .htpasswd YOUR_USERNAME
+</syntaxhighlight>
-</syntaxhighlight>
+To declaratively use the <code>htpasswd</code> file you will need to use a [[Comparison of secret managing schemes|secret management method]]. The following example uses [https://github.com/Mic92/sops-nix sops-nix].
+{{File|3={config,inputs,...}:
+{
+  imports =
+  [
+    inputs.sops-nix.nixosModules.sops
+  ];
+  sops = {
+    age.keyFile = "/home/YOUR_USER/.config/sops/age/keys.txt";
+    defaultSopsFile = ./secrets.yaml;
+    secrets."restic_server/password" = {
+      owner = "restic";
+      group = "restic";
+      mode  = "0400";
+    };
+  };
+  services.restic.server = {
+    enable = true;
+    htpasswd-file = config.sops.secrets."restic_server/password".path;
+  };
+}|name=configuration.nix|lang=nix}}
 == Security Wrapper ==
-If you want to back up your system [https://restic.readthedocs.io/en/latest/080_examples.html#backing-up-your-system-without-running-restic-as-root without running restic as root], you can create a user and security wrapper to give restic the capability to read anything on the filesystem as if it were running as root. The following will create the wrapper at <code>/run/wrappers/bin/restic</code>
+If you want to back up your system [https://restic.readthedocs.io/en/latest/080_examples.html#backing-up-your-system-without-running-restic-as-root without running restic as root], you can create a user and security wrapper to give restic the capability to read anything on the filesystem as if it were running as root. The following will create the wrapper at <code>/run/wrappers/bin/restic</code>:
+{{File|3={
+  users = {
+    users.restic = {
+      group = "restic";
+      isSystemUser = true;
+    };
+    groups.restic = {};
+  };
-<syntaxhighlight lang="nix">
+  security.wrappers.restic = {
-users = {
+    source = lib.getExe pkgs.restic;
-  users.restic = {
+    owner = "restic";
      group = "restic";
-     isSystemUser = true;
+     permissions = "500"; # or u=rx,g=,o=
+    capabilities = "cap_dac_read_search+ep";
    };
-  groups.restic = {};
+}|name=configuration.nix|lang=nix}}
-};
-security.wrappers.restic = {
-  source = lib.getExe pkgs.restic;
-  owner = "restic";
-  group = "restic";
-  permissions = "500"; # or u=rx,g=,o=
-  capabilities = "cap_dac_read_search+ep";
-};
-</syntaxhighlight>
-Note that you will have to set your Restic configuration to use the wrapper using the [https://search.nixos.org/options?channel=unstable&show=services.restic.backups.%3Cname%3E.package&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups.<name>.package] option, for example <ref>https://github.com/NixOS/nixpkgs/issues/341999#issuecomment-2558504576</ref>,
-<syntaxHighlight lang=nix>
-services.restic.backups.foo = {
-  # ...
-  user = "restic";
-  package = pkgs.writeShellScriptBin "restic" ''
-    exec /run/wrappers/bin/restic "$@"
-  '';
-};
-</syntaxHighlight>
+Note that you will have to set your Restic configuration to use the wrapper using the [https://search.nixos.org/options?channel=unstable&show=services.restic.backups.%3Cname%3E.package&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups.<name>.package] option, for example <ref>https://github.com/NixOS/nixpkgs/issues/341999#issuecomment-2558504576</ref>:
+{{File|3={
+  services.restic.backups.foo = {
+    # ...
+    user = "restic";
+    package = pkgs.writeShellScriptBin "restic" ''
+      exec /run/wrappers/bin/restic "$@"
+    '';
+  };
+}|name=configuration.nix|lang=nix}}
 [[Category:Applications]]
 [[Category:Backup]]