Thu, 02 Nov 2017
Restic Systems Backup Setup, Part 3 - Setting up a client
Setting up the backup server side
Using 'new-restic-server' to set up the server
You can find
new-restic-server in the git repo.
/backups/bin/new-restic-server -H aclient.example.com -p 9002
will set up all of the per-client setup on the backup-server: making a
config and path for storage, setting up a
runsv directory to run the
minio server, and creating access key and secret for the
You will have to make sure the port you picked (in this example,
distinct between all clients backing up to this service.
Activing the minio server
minio server is a distinct step, but an easy one with our
ln -s /backups/systems/aserver.example.com/conf/runsvs/minio /backups/systems/conf/runit/aserver.example.com-minio
A few seconds later,
runsvdir will detect the new symlink and start the minio process.
Setting up the client side
Installing the binaries
I install these all in
/usr/local/bin, you'll need to get a recent copy
of restic, as well as the
restic-wrapper scripts from the
directory of the git repo (handily linked at the end of this article).
First, make an
/etc/restic configuration directory:
sudo install -o root -g root -m 700 -d /etc/restic
Create the environ file
/etc/restic/environ contains a series of environment variables that the
client will use to identify the repo to backup to, as well as the access keys for it. It looks like
export AWS_ACCESS_KEY_ID=key goes here export AWS_SECRET_ACCESS_KEY=secret key goes here export RESTIC_REPOSITORY=s3:https://backup-server.example.com:9002/backups export RESTIC_PASSWORD_FILE=/etc/restic/repo-password
Most of these are self-explanitory. The
RESTIC_REPOSITORY is marked as
because that's what
minio looks like to it. It ends in
you have to put things in a "bucket"
to read from that file, instead of prompting for a password.
Create include and exclude files
Now the hardest part, deciding what to backup and exclude. Everything will be backed up from
/, use full paths in the include an exclude files, which go in
Configure repo password
sudo /bin/sh -c 'pwgen 32 1 > /etc/restic/repo-password'
Here, we're using the
pwgen command to generate a single, 32 character long
password. YOU MUST NOT LOSE THIS. This is the encryption key used to encrypt
everything in the repo, and without it, you won't be able to recover anything. I store mine
in a GnuPG encrypted git repo that I backup outside of my restic setup.
Initialize the repo
sudo /usr/local/bin/restic-wrapper init
will initialize the repo. It will spit out something like:
created restic backend bcae9b3f97 at s3:https://backup-server.example.com:9002/backups Please note that knowledge of your password is required to access the repository. Losing your password means that your data is irrecoverably lost.
Set up a cron job to do daily backups
contains a useful
cron.d snippet to perform daily backups, modify to your taste.
We now have a client system which backs up daily to a backup server storing
minio. Future articles will talk about automated replication
to additional repositories for redundancy.