I recently decided to start using my own home server to store my dotfiles. The main reasons are simplicity, privacy, and security. I previously stored them in a repository on my GitHub account and installed them with Ansible, but I have increasingly found it cumbersome when trying to keep them updated and in sync. On GitHub, the changes (and mistakes!) I make to my dotfiles are publicly viewable; sometimes I’ll make changes several times a day, sometimes scrapping a change entirely when I later realize it was not such a good idea or breaks something in my activity flow. I also would love the convenience of keeping SSH keys and GPG keychains in sync and updated, and storing them on a public server is obviously not an option, nor even in a private repository hosted on GitHub or GitLab.
My home server is basically just my old 2013 MacBook Pro running Fedora Server edition. It has a 250GB SSD, which is more than enough for what I need. I also have an 1TB external SSD which I will use to emulate redundancy. I installed and configured the rest-server software to act as a backend for my Restic backups.
Setting up the rest server⌗
First build the rest-server binary and move it to a directory in PATH. This step requires Go 1.11 or higher. Optionally, you can download the latest compiled rest-server binary from its releases page: https://github.com/restic/rest-server/releases
git clone https://github.com/restic/rest-server cd rest-server/ CGO_ENABLED=0 go build -o rest-server ./cmd/rest-server sudo cp -v rest-server /usr/local/bin/
I also configured the systemd unit file so that rest-server runs on startup with the appopriate flags. I need only configure the options User, Group, ExecStart, and ReadWritePaths in the [Service] section:
cd ~/rest-server/examples/systemd/ ls .
[Service] Type=simple User=restic-data Group=restic-data ExecStart=/usr/local/bin/rest-server --path /opt/restic-backups --no-auth Restart=always RestartSec=5 # Optional security enhancements NoNewPrivileges=yes PrivateTmp=yes ProtectSystem=strict ProtectHome=yes ReadWritePaths=/opt/restic-backups
Since this is a local home server, I pass the –no-auth flag to the rest-server ExecStart command.
I now create the restic-data user and group. They need to be given a lower UID and GID that isn’t already used by another user/group. 49 is usually available on a default Fedora install.
- Ensure a default home directory is not created under /home by passing the -M flag.
- Set a custom home directory for the user at /opt/restic-backups with the -d flag.
- Ensure the shell is assigned to /sbin/nologin.
sudo groupadd -g 49 restic-data sudo useradd -c 'Restic Data' -u 49 -g 49 -M -d /opt/restic-backups -s /sbin/nologin restic-data
- Ensure the backups path exists and has appropriate permissions.
- Copy the systemd unit file to a location where systemd will look for it.
- Enable and start the rest-server systemd service.
sudo mkdir /opt/restic-backups sudo chown -R restic-data:restic-data /opt/restic-backups sudo cp -v rest-server.service /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable --now rest-server.service
Since I’m using a firewall, I ensure the port the rest-server listens on is allowed locally:
sudo firewall-cmd --zone=FedoraServer --permanent --add-port=8000/tcp sudo firewall-cmd --reload
Now on the host, which in this case is my laptop, I have the Restic client installed from my distribution’s package repository.
- Initialize a Restic storage repository on the server from the host, and supply it with a password. This password will be used every time I attempt to access the storage repository.
- Backup my dotfiles
restic -r rest:http://local-server:8000/dotfiles init restic -r rest:http://local-server:8000/dotfiles backup ~/dotfiles
One of the best features of Restic is that it makes restoring backups really simple. It also provides snapshot functionality, so I can restore different versions of specific files from other snapshots.
restic -r rest:http://local-server:8000/dotfiles snapshots enter password for repository: repository 9a280eb7 opened successfully, password is correct ID Time Host Tags Paths ----------------------------------------------------------------------------- 11738fec 2021-04-12 09:13:17 toolbox /var/home/jeff/dotfiles dfc99aa3 2021-04-12 10:31:39 toolbox /var/home/jeff/dotfiles f951eedf 2021-04-12 11:25:21 toolbox /var/home/jeff/dotfiles 62371897 2021-04-12 18:43:53 toolbox /var/home/jeff/dotfiles ----------------------------------------------------------------------------- 4 snapshots
Since Restic saves the backup’s absolute path, restoring it to / will ensure it is restored to its original location on the local filesystem. To restore a snapshot:
restic -r rest:http://local-server:8000/dotfiles restore dfc99aa3 --target /
To list files in a snapshot:
restic -r rest:http://local-server:8000/dotfiles ls dfc99aa3
Yay, very nice!