Use Fedder's TrueNAS for Restic backups #153
|
@ -49,9 +49,10 @@ services:
|
||||||
|
|
||||||
restic:
|
restic:
|
||||||
file: restic_backup.yml
|
file: restic_backup.yml
|
||||||
user: "datacoop"
|
user: "dc-user"
|
||||||
domain: "restic.cannedtuna.org"
|
domain: "rynkeby.skovgaard.tel"
|
||||||
repository: "datacoop-hevonen"
|
volume_folder: "{{ volume_root_folder }}/restic"
|
||||||
|
repository: "/mnt/SpinningRust/data.coop-backup/restic"
|
||||||
ssh_pubkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1lNLshXytq+mx2LPzm8Neh/nrVqCR3iDXPONzBag9s restic@fedder
|
ssh_pubkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1lNLshXytq+mx2LPzm8Neh/nrVqCR3iDXPONzBag9s restic@fedder
|
||||||
samsapti marked this conversation as resolved
Outdated
|
|||||||
version: "1.6.0"
|
version: "1.6.0"
|
||||||
disabled_in_vagrant: true
|
disabled_in_vagrant: true
|
||||||
|
|
|
@ -1,5 +1,29 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
---
|
---
|
||||||
|
- name: Create SSH directory
|
||||||
|
file:
|
||||||
|
name: "{{ services.restic.volume_folder }}/ssh"
|
||||||
samsapti marked this conversation as resolved
Outdated
reynir
commented
Shouldn't it be Shouldn't it be `.ssh`? Is `{{ services.restic.volume_folder }}` the `$HOME` dir of root?
samsapti
commented
No, it evaluates to No, it evaluates to `/docker-volumes/restic/ssh`. It doesn't need to be in root's `$HOME`, and I also think it's better to place it in Restic's folder, since this is the only service that uses it. It also doesn't need to be hidden, since we can bind mount it to a different name inside the container (also this makes it visible with a simple `ls`).
|
|||||||
|
owner: root
|
||||||
samsapti marked this conversation as resolved
reynir
commented
It's probably correct seeing what most containers do, but we could confirm it's running as root. It's probably correct seeing what most containers do, but we could confirm it's running as root.
samsapti
commented
It's also possible with this location, since It's also possible with this location, since `mode: '0700'` denies read permission for everyone else.
|
|||||||
|
group: root
|
||||||
|
mode: '0700'
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Copy private SSH key
|
||||||
|
copy:
|
||||||
|
dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
||||||
|
content: "{{ restic_secrets.ssh_privkey }}"
|
||||||
|
|
||||||
|
- name: Copy public SSH key
|
||||||
|
copy:
|
||||||
|
dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
content: "{{ services.restic.ssh_pubkey }}"
|
||||||
|
|
||||||
- name: Setup restic backup
|
- name: Setup restic backup
|
||||||
docker_compose:
|
docker_compose:
|
||||||
project_name: restic_backup
|
project_name: restic_backup
|
||||||
|
@ -13,12 +37,12 @@
|
||||||
environment:
|
environment:
|
||||||
RUN_ON_STARTUP: "false"
|
RUN_ON_STARTUP: "false"
|
||||||
BACKUP_CRON: "0 30 3 * * *"
|
BACKUP_CRON: "0 30 3 * * *"
|
||||||
RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
|
RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"
|
||||||
samsapti marked this conversation as resolved
Outdated
reynir
commented
Isn't sftp urls Isn't sftp urls `sftp://user@host/path/from/root`?
samsapti
commented
No, the URL format is actually No, the URL format is actually `sftp://user@host[:port]//path/from/root` (double slash) or `sftp://user@host[:port]/relative/path/to/home`, but Restic only requires the URL format in case of a specified port number or an IPv6 address. If not, it only wants the `sftp:` prefix, followed by the format you would use with `scp`, `sftp:user@host:/path/to/repo`.
https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#sftp
|
|||||||
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
|
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
|
||||||
RESTIC_BACKUP_SOURCES: "/mnt/volumes"
|
RESTIC_BACKUP_SOURCES: "/mnt/volumes"
|
||||||
RESTIC_BACKUP_ARGS: >-
|
RESTIC_BACKUP_ARGS: >-
|
||||||
--tag datacoop-volumes
|
--tag datacoop-volumes
|
||||||
--exclude='*.tmp'
|
--exclude '*.tmp'
|
||||||
--verbose
|
--verbose
|
||||||
RESTIC_FORGET_ARGS: >-
|
RESTIC_FORGET_ARGS: >-
|
||||||
--keep-last 10
|
--keep-last 10
|
||||||
|
@ -27,6 +51,7 @@
|
||||||
--keep-monthly 12
|
--keep-monthly 12
|
||||||
TZ: Europe/Copenhagen
|
TZ: Europe/Copenhagen
|
||||||
volumes:
|
volumes:
|
||||||
|
- "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro"
|
||||||
- /docker-volumes:/mnt/volumes:ro
|
- /docker-volumes:/mnt/volumes:ro
|
||||||
|
|
||||||
restic-prune:
|
restic-prune:
|
||||||
|
@ -34,6 +59,8 @@
|
||||||
environment:
|
environment:
|
||||||
RUN_ON_STARTUP: "false"
|
RUN_ON_STARTUP: "false"
|
||||||
PRUNE_CRON: "0 0 4 * * *"
|
PRUNE_CRON: "0 0 4 * * *"
|
||||||
RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
|
RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"
|
||||||
samsapti marked this conversation as resolved
Outdated
reynir
commented
Same comment as above regarding sftp urls. Same comment as above regarding sftp urls.
|
|||||||
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
|
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
|
||||||
TZ: Europe/copenhagen
|
TZ: Europe/copenhagen
|
||||||
|
volumes:
|
||||||
|
- "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro"
|
||||||
|
|
Can we derive the pubkey from the privkey in secrets? We have to update the key in two places now.
We probably could, I'll make the change.