Restic Systems Backup Setup, Part 3 - Setting up a client

This is Part 3 of my series on building a restic-based system backup series. The rest of the articles can be found here.

We've got enough things setup that we can start backing up a client system. We'll do this in two sections: setting up the server side, and setting up the client side.

Setting up the backup server side

Using 'new-restic-server' to set up the server

You can find new-restic-server in the git repo.

/backups/bin/new-restic-server -H -p 9002

will set up all of the per-client setup on the backup-server: making a minio config and path for storage, setting up a runsv directory to run the minio server, and creating access key and secret for the minio server. You will have to make sure the port you picked (in this example, 9002) is distinct between all clients backing up to this service.

Activing the minio server

Activating the minio server is a distinct step, but an easy one with our runsvdir setup:

ln -s /backups/systems/ /backups/systems/conf/runit/

A few seconds later, runsvdir will detect the new symlink and start the minio process.

Setting up the client side

Installing the binaries

I install these all in /usr/local/bin, you'll need to get a recent copy of restic, as well as the daily-restic-backups, restic-unroll and restic-wrapper scripts from the client directory of the git repo (handily linked at the end of this article).


First, make an /etc/restic configuration directory: sudo install -o root -g root -m 700 -d /etc/restic

Create the environ file

/etc/restic/environ contains a series of environment variables that the restic client will use to identify the repo to backup to, as well as the access keys for it. It looks like the following:

export AWS_ACCESS_KEY_ID=key goes here
export AWS_SECRET_ACCESS_KEY=secret key goes here
export RESTIC_PASSWORD_FILE=/etc/restic/repo-password

Most of these are self-explanitory. The RESTIC_REPOSITORY is marked as s3 because that's what minio looks like to it. It ends in /backups because you have to put things in a "bucket" RESTIC_PASSWORD_FILE causes restic to read from that file, instead of prompting for a password.

Create include and exclude files

Now the hardest part, deciding what to backup and exclude. Everything will be backed up from /, use full paths in the include an exclude files, which go in /etc/restic/include-files and /etc/restic/exclude-files respectively.

Configure repo password

sudo /bin/sh -c 'pwgen 32 1 > /etc/restic/repo-password'

Here, we're using the pwgen command to generate a single, 32 character long password. YOU MUST NOT LOSE THIS. This is the encryption key used to encrypt everything in the repo, and without it, you won't be able to recover anything. I store mine in a GnuPG encrypted git repo that I backup outside of my restic setup.

Initialize the repo

sudo /usr/local/bin/restic-wrapper init

will initialize the repo. It will spit out something like:

created restic backend bcae9b3f97 at s3: Please note that knowledge of your password is required to access the repository. Losing your password means that your data is irrecoverably lost.

Set up a cron job to do daily backups

backups-cron.d contains a useful cron.d snippet to perform daily backups, modify to your taste.


We now have a client system which backs up daily to a backup server storing data in minio. Future articles will talk about automated replication to additional repositories for redundancy.

As a reminder, you can find the canonical repository of all my utility scripts in this series here. You can also find them at github.