Use Fedder's TrueNAS for Restic backups #153

Merged
samsapti merged 8 commits from restic_fedder into main 2023-03-05 22:01:54 +00:00
Owner

Thanks Fedder!

Note: This is untested, we can't really test this in Vagrant.

Thanks Fedder! Note: This is untested, we can't really test this in Vagrant.
samsapti added 3 commits 2023-01-24 21:14:44 +00:00
samsapti added the
Infrastructure Issue
label 2023-01-27 15:54:41 +00:00
reynir reviewed 2023-02-09 08:18:36 +00:00
@ -33,3 +34,2 @@
restic_secrets:
user_secret: xxx
encryption_secret: xxx
user_password: xxx
Owner

Do we use this?

Do we use this?
Author
Owner

Actually no, we only used it with Decibyte's Restic server. I'll remove it.

Actually no, we only used it with Decibyte's Restic server. I'll remove it.
samsapti marked this conversation as resolved
@ -55,0 +53,4 @@
domain: "rynkeby.skovgaard.tel"
volume_folder: "{{ volume_root_folder }}/restic"
repository: "/mnt/SpinningRust/data.coop-backup/restic"
ssh_pubkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1lNLshXytq+mx2LPzm8Neh/nrVqCR3iDXPONzBag9s restic@fedder
Owner

Can we derive the pubkey from the privkey in secrets? We have to update the key in two places now.

Can we derive the pubkey from the privkey in secrets? We have to update the key in two places now.
Author
Owner

We probably could, I'll make the change.

We probably could, I'll make the change.
samsapti marked this conversation as resolved
@ -2,1 +2,4 @@
---
- name: Create SSH directory
file:
name: "{{ services.restic.volume_folder }}/ssh"
Owner

Shouldn't it be .ssh? Is {{ services.restic.volume_folder }} the $HOME dir of root?

Shouldn't it be `.ssh`? Is `{{ services.restic.volume_folder }}` the `$HOME` dir of root?
Author
Owner

No, it evaluates to /docker-volumes/restic/ssh. It doesn't need to be in root's $HOME, and I also think it's better to place it in Restic's folder, since this is the only service that uses it. It also doesn't need to be hidden, since we can bind mount it to a different name inside the container (also this makes it visible with a simple ls).

No, it evaluates to `/docker-volumes/restic/ssh`. It doesn't need to be in root's `$HOME`, and I also think it's better to place it in Restic's folder, since this is the only service that uses it. It also doesn't need to be hidden, since we can bind mount it to a different name inside the container (also this makes it visible with a simple `ls`).
samsapti marked this conversation as resolved
@ -3,0 +3,4 @@
- name: Create SSH directory
file:
name: "{{ services.restic.volume_folder }}/ssh"
owner: root
Owner

It's probably correct seeing what most containers do, but we could confirm it's running as root.

It's probably correct seeing what most containers do, but we could confirm it's running as root.
Author
Owner

It's also possible with this location, since mode: '0700' denies read permission for everyone else.

It's also possible with this location, since `mode: '0700'` denies read permission for everyone else.
samsapti marked this conversation as resolved
@ -14,3 +38,3 @@
RUN_ON_STARTUP: "false"
BACKUP_CRON: "0 30 3 * * *"
RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"
Owner

Isn't sftp urls sftp://user@host/path/from/root?

Isn't sftp urls `sftp://user@host/path/from/root`?
Author
Owner

No, the URL format is actually sftp://user@host[:port]//path/from/root (double slash) or sftp://user@host[:port]/relative/path/to/home, but Restic only requires the URL format in case of a specified port number or an IPv6 address. If not, it only wants the sftp: prefix, followed by the format you would use with scp, sftp:user@host:/path/to/repo.
https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#sftp

No, the URL format is actually `sftp://user@host[:port]//path/from/root` (double slash) or `sftp://user@host[:port]/relative/path/to/home`, but Restic only requires the URL format in case of a specified port number or an IPv6 address. If not, it only wants the `sftp:` prefix, followed by the format you would use with `scp`, `sftp:user@host:/path/to/repo`. https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#sftp
samsapti marked this conversation as resolved
@ -35,3 +60,3 @@
RUN_ON_STARTUP: "false"
PRUNE_CRON: "0 0 4 * * *"
RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"
Owner

Same comment as above regarding sftp urls.

Same comment as above regarding sftp urls.
samsapti marked this conversation as resolved
samsapti added 2 commits 2023-02-11 18:21:11 +00:00
samsapti added 1 commit 2023-02-11 18:35:03 +00:00
It's better to make it relative to `$HOME`, in case Fedder decides to
move it some day.
samsapti added 1 commit 2023-02-11 19:55:21 +00:00
Author
Owner

I also added an SSH config file. From the Restic docs:

Please be aware that sftp servers close connections when no data is received by the client. This can happen when restic is processing huge amounts of unchanged data. To avoid this issue add the following lines to the client’s .ssh/config file:

ServerAliveInterval 60
ServerAliveCountMax 240
I also added an SSH config file. From the [Restic docs](https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#sftp): > Please be aware that sftp servers close connections when no data is received by the client. This can happen when restic is processing huge amounts of unchanged data. To avoid this issue add the following lines to the client’s .ssh/config file: > > ``` > ServerAliveInterval 60 > ServerAliveCountMax 240 > ```
samsapti added 1 commit 2023-03-05 22:00:40 +00:00
samsapti merged commit 9a4912f9b5 into main 2023-03-05 22:01:54 +00:00
samsapti deleted branch restic_fedder 2023-03-05 22:01:54 +00:00
samsapti changed title from User Fedder's TrueNAS for Restic backups to Use Fedder's TrueNAS for Restic backups 2023-12-12 18:57:51 +00:00
Sign in to join this conversation.
No description provided.