Skip to content

Instantly share code, notes, and snippets.

@plembo

plembo/resticbackup.md

Last active March 2, 2024 18:55
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save plembo/ade168d13df6accd1ca93343117b5d06 to your computer and use it in GitHub Desktop.
Save plembo/ade168d13df6accd1ca93343117b5d06 to your computer and use it in GitHub Desktop.
Download ZIP
Restic backup
Raw
resticbackup.md

Backups with restic

We just recently began to use restic as our main backup solution at home. I'm posting this mostly to document the configuration for myself. Anyone interested in using restic should thoroughly read the documentation before proceeding.

By default, backups are run with encryption and compression enabled. Although many people have all hosts in a multi-host network sharing a single repo, I chose to separate them out (to limit the impact of any future data corruption and simplify security configuration).

I use the latest restic binary release rather than the outdated version available from my Linux distribution.

On Linux, restic runs as an unprivileged user (creatively named "restic") with a binary that has been granted elevated privileges to read entire filesystem (do this as root):

chown root:restic /home/restic/bin/restic
setcap cap_dac_read_search=+ep /home/restic/bin/restic

Changing ownership as shown above is absolutely necessary. See "Backing up your system without running restic as root".

Backup scripts

In my scheme, each host gets its own environment file, stored under /home/restic/.config/restic. Major differences are the repository path and password.

/home/restic/.config/restic/backup-server1.env:

export RESTIC_REPOSITORY=/data1/restic/server1
export RESTIC_PASSWORD=****
export RESTIC_DAILY=7
export RESTIC_WEEKLY=4
export RESTIC_MONTHLY=2

/home/restic/.config/restic/backup-desktop1.env

export RESTIC_REPOSITORY=sftp:server1:/data1/restic/desktop1
export RESTIC_PASSWORD=****
export RESTIC_DAILY=7
export RESTIC_WEEKLY=4
export RESTIC_MONTHLY=2

Exclude select folders/files (/home/restic/.config/restic/excludes.txt). This is relatively constant across hosts:

.cache
.Cache
cache/*
Cache/*
caches/*
/var/log/*
tmp/*
tor_browser/

Include select folders. This will vary by host, so I append the host name (/home/restic/.config/restic/includes-desktop1.txt):

/root
/home
/data1/library
/data1/www
/etc
/var
/data1/docker
/data1/kvm

This shell script will backup the folders specified in the above includes file. File named /home/restic/bin/restic-backup.sh, configuration sourced from environment file:

#!/bin/bash
# Backup to local respository
HOST=$(hostname|cut -f1 -d.)
. /home/restic/.config/restic/backup-${HOST}.env
INCLUDES=/home/restic/.config/restic/includes-${HOST}.txt
EXCLUDES=/home/restic/.config/restic/excludes.txt
LOGFILE="/data1/logs/restic/backup-${HOST}.log"
TIMESTAMP=`date +%Y%m%d%H%M%S`

echo "${TIMESTAMP} Backup ${HOST} to restic repo" >${LOGFILE}
/home/restic/bin/restic backup \
 --files-from ${INCLUDES} \
 --iexclude-file ${EXCLUDES} \
 >>${LOGFILE}

TIMESTAMP=`date +%Y%m%d%H%M%S`
echo "${TIMESTAMP} Backup completed" >>${LOGFILE}

Maintenance script (/home/restic/bin/restic-prune.sh):

#!/bin/bash
# Prune local backup repo
HOST=$(hostname|cut -f1 -d.)
. /home/restic/.config/restic/backup-${HOST}.env
LOGFILE="/data1/logs/restic/prune-${HOST}.log"
TIMESTAMP=`date +%Y%m%d%H%M%S`

echo "${TIMESTAMP} Prune restic repo" >${LOGFILE}
/home/restic/bin/restic forget --prune \
--keep-daily ${RESTIC_DAILY} \
--keep-weekly ${RESTIC_WEEKLY} \
--keep-monthly ${RESTIC_MONTHLY} \
>>${LOGFILE}

TIMESTAMP=`date +%Y%m%d%H%M%S`
echo "${TIMESTAMP} Pruning completed" >>${LOGFILE}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment