Differences

This shows you the differences between two versions of the page.

--- restic-with-rest-server [2026-02-23 08:07:41] – created hyperreal
+++ restic-with-rest-server [2026-03-14 20:19:56] (current) – removed hyperreal
@@ Line 1: / Line 1: @@
-====== Setting up Restic with rest-server ======
-===== Context =====
-I recently decided to start using my own home server to store my dotfiles. The main reasons are simplicity, privacy, and security. I previously stored them in a repository on my GitHub account and installed them with Ansible, but I have increasingly found it cumbersome when trying to keep them updated and in sync. On GitHub, the changes (and mistakes!) I make to my dotfiles are publicly viewable; sometimes I’ll make changes several times a day, sometimes scrapping a change entirely when I later realize it was not such a good idea or breaks something in my activity flow. I also would love the convenience of keeping SSH keys and GPG keychains in sync and updated, and storing them on a public server is obviously not an option, nor even in a private repository hosted on GitHub or GitLab.
-===== Cue Restic =====
-My home server is basically just my old 2013 MacBook Pro running Fedora Server edition. It has a 250GB SSD, which is more than enough for what I need. I also have a 1TB external SSD which I will use to emulate redundancy. I installed and configure the rest-server software to act as a backend for my Restic backups.
-===== Setting up the rest server =====
-First build the rest-server binary and move it to a directory in PATH. This step requires Go 1.11 or higher. Optionally, you can download the latest compiled rest-server binary from its releases page.
-  * [[https://github.com/restic/rest-server/releases|GitHub :: restic/rest-server/releases]]
-<code shell>
-git clone https://github.com/restic/rest-server
-cd rest-server/
-CGO_ENABLED=0 go build -o rest-server ./cmd/rest-server
-sudo cp -v rest-server /usr/local/bin/
-</code>
-I also configured the systemd unit file so that rest-server runs on startup with the appropriate flags. I need only configure the options User, Group, ExecStart, and ReadWritePaths in the [Service] section:
-<code shell>
-cd ~/rest-server/examples/systemd/
-ls .
-</code>
-rest-server.service:
-<code systemd>
-[Service]
-Type=simple
-User=restic-data
-Group=restic-data
-ExecStart=/usr/local/bin/rest-server --path /opt/restic-backups --no-auth
-Restart=always
-RestartSec=5
-# Optional security enhancements
-NoNewPrivileges=yes
-PrivateTmp=yes
-ProtectSystem=strict
-ProtectHome=yes
-ReadWritePaths=/opt/restic-backups
-</code>
-Since this is a local home server, I pass the ''%%--no-auth%%'' flag to the rest-server ExecStart command.
-I now create the restic-data user and group.
-  * Ensure a default home directory is not created under /home by passing the ''%%-M%%'' flag.
-  * Set a custom home directory for the user at /opt/restic-backups with the ''%%-d%%'' flag.
-  * Ensure the shell is assigned to ''%%/sbin/nologin%%''.
-  * The restic-data user is not meant to be used for logging in, so we pass the ''%%--system%%'' flag.
-<code shell>
-  sudo useradd -c "Restic Data" -M -d /opt/restic-backups -s /sbin/nologin --system restic-data
-</code>
-  * Ensure the backups path exists and has appropriate permissions.
-  * Copy the systemd unit file to a location where systemd will look for it.
-  * Enable and start the rest-server systemd service.
-<code shell>
-  sudo mkdir /opt/restic-backups
-  sudo chown -R restic-data:restic-data /opt/restic-backups
-  sudo cp -v rest-server.service /etc/systemd/system/
-  sudo systemctl daemon-reload
-  sudo systemctl enable --now rest-server.service
-</code>
-Since I’m using a firewall, I ensure the port the rest-server listens on is allowed locally:
-<code shell>
-  sudo firewall-cmd --zone`FedoraServer --permanent --add-port`8000/tcp
-  sudo firewall-cmd --reload
-</code>
-Now on the host, which in this case is my laptop, I have the Restic client installed from my distribution’s package repository.
-  * Initialize a Restic storage repository on the server from the host, and supply it with a password. This password will be used every time I attempt to access the storage repository.
-  * Backup my dotfiles
-<code shell>
-    restic -r rest:http://local-server:8000/dotfiles init
-    restic -r rest:http://local-server:8000/dotfiles backup ~/dotfiles
-</code>
-One of the best features of Restic is that it makes restory backups really simple. It also provides snapshot functionality, so I can restore different versions of specific files from other snapshots.
-<code shell>
-restic -r rest:http://local-server:8000/dotfiles snapshots
-enter password for repository:
-repository 9a280eb7 opened successfully, password is correct
-ID        Time                  Host       Tags        Paths
-------------------------------------------------------------------------------
-fec  2021-04-12 09:13:17   toolbox                /var/home/jeff/dotfiles
-dfc99aa3  2021-04-12 10:31:39   toolbox                /var/home/jeff/dotfiles
-f951eedf  2021-04-12 11:25:21   toolbox                /var/home/jeff/dotfiles
-62371897  2021-04-12 18:43:53   toolbox                /var/home/jeff/dotfiles
-------------------------------------------------------------------------------
-snapshots
-</code>
-Since Restic saves the backup’s absolute path, restoring it to / will ensure it is restored to its original location on the local filesystem. To restore a snapshot:
-<code shell>
-restic -r rest:http://local-server:8000/dotfiles restore dfc99aa3 --target /
-</code>
-To list files in a snapshot:
-<code shell>
-restic -r rest:http://local-server:8000/dotfiles ls dfc99aa3
-</code>
-Yay, very nice!
-===== Resources =====
-  * https://restic.net/
-  * https://github.com/restic/rest-server