Context

I recently decided to start using my own home server to store my dotfiles. The main reasons are simplicity, privacy, and security. I previously stored them in a repository on my GitHub account and installed them with Ansible, but I have increasingly found it cumbersome when trying to keep them updated and in sync. On GitHub, the changes (and mistakes!) I make to my dotfiles are publicly viewable; sometimes I’ll make changes several times a day, sometimes scrapping a change entirely when I later realize it was not such a good idea or breaks something in my activity flow. I also would love the convenience of keeping SSH keys and GPG keychains in sync and updated, and storing them on a public server is obviously not an option, nor even in a private repository hosted on GitHub or GitLab.

Cue Restic

My home server is basically just my old 2013 MacBook Pro running Fedora Server edition. It has a 250GB SSD, which is more than enough for what I need. I also have an 1TB external SSD which I will use to emulate redundancy. I installed and configured the rest-server software to act as a backend for my Restic backups.

Setting up the rest server

First build the rest-server binary and move it to a directory in PATH. This step requires Go 1.11 or higher. Optionally, you can download the latest compiled rest-server binary from its releases page: https://github.com/restic/rest-server/releases

git clone https://github.com/restic/rest-server
cd rest-server/
CGO_ENABLED=0 go build -o rest-server ./cmd/rest-server
sudo cp -v rest-server /usr/local/bin/

I also configured the systemd unit file so that rest-server runs on startup with the appopriate flags. I need only configure the options User, Group, ExecStart, and ReadWritePaths in the [Service] section:

cd ~/rest-server/examples/systemd/
ls .

rest-server.service:

[Service]
Type=simple
User=restic-data
Group=restic-data
ExecStart=/usr/local/bin/rest-server --path /opt/restic-backups --no-auth
Restart=always
RestartSec=5

# Optional security enhancements
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/opt/restic-backups

Since this is a local home server, I pass the –no-auth flag to the rest-server ExecStart command.

I now create the restic-data user and group. They need to be given a lower UID and GID that isn’t already used by another user/group. 49 is usually available on a default Fedora install.

  • Ensure a default home directory is not created under /home by passing the -M flag.
  • Set a custom home directory for the user at /opt/restic-backups with the -d flag.
  • Ensure the shell is assigned to /sbin/nologin.
sudo groupadd -g 49 restic-data
sudo useradd -c 'Restic Data' -u 49 -g 49 -M -d /opt/restic-backups -s /sbin/nologin restic-data
  • Ensure the backups path exists and has appropriate permissions.
  • Copy the systemd unit file to a location where systemd will look for it.
  • Enable and start the rest-server systemd service.
sudo mkdir /opt/restic-backups
sudo chown -R restic-data:restic-data /opt/restic-backups
sudo cp -v rest-server.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable --now rest-server.service

Since I’m using a firewall, I ensure the port the rest-server listens on is allowed locally:

sudo firewall-cmd --zone=FedoraServer --permanent --add-port=8000/tcp
sudo firewall-cmd --reload

Now on the host, which in this case is my laptop, I have the Restic client installed from my distribution’s package repository.

  • Initialize a Restic storage repository on the server from the host, and supply it with a password. This password will be used every time I attempt to access the storage repository.
  • Backup my dotfiles
restic -r rest:http://local-server:8000/dotfiles init

restic -r rest:http://local-server:8000/dotfiles backup ~/dotfiles

One of the best features of Restic is that it makes restoring backups really simple. It also provides snapshot functionality, so I can restore different versions of specific files from other snapshots.

restic -r rest:http://local-server:8000/dotfiles snapshots
enter password for repository: 
repository 9a280eb7 opened successfully, password is correct
ID        Time                 Host        Tags        Paths
-----------------------------------------------------------------------------
11738fec  2021-04-12 09:13:17  toolbox                 /var/home/jeff/dotfiles
dfc99aa3  2021-04-12 10:31:39  toolbox                 /var/home/jeff/dotfiles
f951eedf  2021-04-12 11:25:21  toolbox                 /var/home/jeff/dotfiles
62371897  2021-04-12 18:43:53  toolbox                 /var/home/jeff/dotfiles
-----------------------------------------------------------------------------
4 snapshots

Since Restic saves the backup’s absolute path, restoring it to / will ensure it is restored to its original location on the local filesystem. To restore a snapshot:

restic -r rest:http://local-server:8000/dotfiles restore dfc99aa3 --target /

To list files in a snapshot:

restic -r rest:http://local-server:8000/dotfiles ls dfc99aa3

Yay, very nice!

Resources

https://restic.net/ https://github.com/restic/rest-server