Use Fedder's TrueNAS for Restic backups #153

samsapti · 2023-01-24T21:14:43Z

samsapti commented

2023-01-24 21:14:43 +00:00

Thanks Fedder!

Note: This is untested, we can't really test this in Vagrant.

Thanks Fedder! Note: This is untested, we can't really test this in Vagrant.

samsapti added 3 commits 2023-01-24 21:14:44 +00:00

Add SSH key e3c60f4ba9

Update secrets.yml.contents ca3a869cd8

Use Fedder's host for backups 3df4301513

samsapti added the

Infrastructure Issue

label 2023-01-27 15:54:41 +00:00

reynir reviewed 2023-02-09 08:18:36 +00:00

group_vars/all/secrets.yml.contents

					
				@ -33,3 +34,2 @@

				restic_secrets:

				  user_secret: xxx

				  encryption_secret: xxx

				  user_password: xxx

reynir commented

2023-02-09 08:11:58 +00:00

Do we use this?

samsapti commented

2023-02-11 17:35:25 +00:00

Actually no, we only used it with Decibyte's Restic server. I'll remove it.

samsapti marked this conversation as resolved

roles/docker/defaults/main.yml Outdated

					
				@ -55,0 +53,4 @@

				    domain: "rynkeby.skovgaard.tel"

				    volume_folder: "{{ volume_root_folder }}/restic"

				    repository: "/mnt/SpinningRust/data.coop-backup/restic"

				    ssh_pubkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1lNLshXytq+mx2LPzm8Neh/nrVqCR3iDXPONzBag9s restic@fedder

reynir commented

2023-02-09 08:13:04 +00:00

Can we derive the pubkey from the privkey in secrets? We have to update the key in two places now.

samsapti commented

2023-02-11 17:55:59 +00:00

We probably could, I'll make the change.

samsapti marked this conversation as resolved

roles/docker/tasks/services/restic_backup.yml Outdated

					
				@ -2,1 +2,4 @@

				---

				- name: Create SSH directory

				  file:

				    name: "{{ services.restic.volume_folder }}/ssh"

reynir commented

2023-02-09 08:16:20 +00:00

Shouldn't it be .ssh? Is {{ services.restic.volume_folder }} the $HOME dir of root?

Shouldn't it be `.ssh`? Is `{{ services.restic.volume_folder }}` the `$HOME` dir of root?

samsapti commented

2023-02-11 17:40:43 +00:00

No, it evaluates to /docker-volumes/restic/ssh. It doesn't need to be in root's $HOME, and I also think it's better to place it in Restic's folder, since this is the only service that uses it. It also doesn't need to be hidden, since we can bind mount it to a different name inside the container (also this makes it visible with a simple ls).

No, it evaluates to `/docker-volumes/restic/ssh`. It doesn't need to be in root's `$HOME`, and I also think it's better to place it in Restic's folder, since this is the only service that uses it. It also doesn't need to be hidden, since we can bind mount it to a different name inside the container (also this makes it visible with a simple `ls`).

samsapti marked this conversation as resolved

roles/docker/tasks/services/restic_backup.yml

					
				@ -3,0 +3,4 @@

				- name: Create SSH directory

				  file:

				    name: "{{ services.restic.volume_folder }}/ssh"

				    owner: root

reynir commented

2023-02-09 08:14:02 +00:00

It's probably correct seeing what most containers do, but we could confirm it's running as root.

samsapti commented

2023-02-11 17:41:57 +00:00

It's also possible with this location, since mode: '0700' denies read permission for everyone else.

It's also possible with this location, since `mode: '0700'` denies read permission for everyone else.

samsapti marked this conversation as resolved

roles/docker/tasks/services/restic_backup.yml Outdated

					
				@ -14,3 +38,3 @@

				            RUN_ON_STARTUP: "false"

				            BACKUP_CRON: "0 30 3 * * *"

				            RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"

				            RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"

reynir commented

2023-02-09 08:17:24 +00:00

Isn't sftp urls sftp://user@host/path/from/root?

Isn't sftp urls `sftp://user@host/path/from/root`?

samsapti commented

2023-02-11 17:51:00 +00:00

No, the URL format is actually sftp://user@host[:port]//path/from/root (double slash) or sftp://user@host[:port]/relative/path/to/home, but Restic only requires the URL format in case of a specified port number or an IPv6 address. If not, it only wants the sftp: prefix, followed by the format you would use with scp, sftp:user@host:/path/to/repo.
https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#sftp

No, the URL format is actually `sftp://user@host[:port]//path/from/root` (double slash) or `sftp://user@host[:port]/relative/path/to/home`, but Restic only requires the URL format in case of a specified port number or an IPv6 address. If not, it only wants the `sftp:` prefix, followed by the format you would use with `scp`, `sftp:user@host:/path/to/repo`. https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#sftp

samsapti marked this conversation as resolved

roles/docker/tasks/services/restic_backup.yml Outdated

					
				@ -35,3 +60,3 @@

				            RUN_ON_STARTUP: "false"

				            PRUNE_CRON: "0 0 4 * * *"

				            RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"

				            RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"

reynir commented

2023-02-09 08:18:16 +00:00

Same comment as above regarding sftp urls.

samsapti marked this conversation as resolved

samsapti added 2 commits 2023-02-11 18:21:11 +00:00

Remove restic_secrets.user_password 8069916aef

Derive public SSH key instead of hardcoding it 00f03ec5a8

samsapti added 1 commit 2023-02-11 18:35:03 +00:00

Use relative path in Restic repository a9abb33b3d

It's better to make it relative to `$HOME`, in case Fedder decides to
move it some day.

samsapti added 1 commit 2023-02-11 19:55:21 +00:00

Avoid connection close when processing huge amounts of unchanged data f2acc0a37b

samsapti commented

2023-02-11 19:57:23 +00:00

I also added an SSH config file. From the Restic docs:

Please be aware that sftp servers close connections when no data is received by the client. This can happen when restic is processing huge amounts of unchanged data. To avoid this issue add the following lines to the client’s .ssh/config file:
ServerAliveInterval 60
ServerAliveCountMax 240

I also added an SSH config file. From the [Restic docs](https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#sftp): > Please be aware that sftp servers close connections when no data is received by the client. This can happen when restic is processing huge amounts of unchanged data. To avoid this issue add the following lines to the client’s .ssh/config file: > > ``` > ServerAliveInterval 60 > ServerAliveCountMax 240 > ```

samsapti added 1 commit 2023-03-05 22:00:40 +00:00

Change > to >- 439f232ecc