Restic

• Github
• Docs
• Dockerfile included in main repo
  • restic docker image 10M+ pulls,
  • borg docker image 35 puls
• Still no native Support backup/snapshot metrics

https://acha.ninja/blog/encrypted_backup_shootout/ compares bupstash, restic, borg backup and plain old tar + gzip + GPG across a series of simple benchmarks.

Usage

Export RESTIC_REPOSITORY and RESTIC_PASSWORD, or source access-all.sh if using the ansible_role_restic:

. /usr/local/bin/access-all.sh

Backup:

restic--verbose backup --tag /

Disk usage (gdu doesn't support --exclude* flags):

sudo ncdu --exclude-caches --exclude-kernfs -X /etc/backup.exclude  /

Show remote repo version:

restic cat config

Show snapshot files:

restic ls latest
restic ls c5c98390
restic ls --recursive bd21fc25 /home/varac/Bilder

Restore:

restic restore latest --target /tmp/restore --include /home/varac/.config
restic restore a2c6d1e2 --target /tmp/restore --include '*watson'

Features

Compression

Available from v0.14.0

To upgrade in place run migrate upgrade_repo_v2 followed by prune. See the documentation for more details. The migration checks the repository integrity and upgrades the repository format, but will not change any data. Afterwards, prune will rewrite the metadata to make use of compression.

Metrics

• Support backup/snapshot metrics
• Collect metrics from rest-server
• Restic grafana dashboards
• Restic Backups with systemd and Prometheus exporter

Ansible roles

• Ansible restic roles

roles-ansible/ansible_role_restic

• ansible_role_restic:

Setup new host

Create new serviceaccount

export HOST=panza
export SVCACC_NAME="restic-${HOST}"
export BUCKET=${SVCACC_NAME}
jq ".Statement[0].Resource = [\"arn:aws:s3:::${BUCKET}*\"]" \
  ~/projects/cloud/storage/minio/policies/readwrite.json \
  > /tmp/policy-new.json
mc admin user svcacct add pinenas-pub-varac varac \
  --name $SVCACC_NAME \
  --description "Restic backup for $SVCACC_NAME" \
  --policy /tmp/policy-new.json \
  --access-key $SVCACC_NAME
mc mb admin/${BUCKET}

Add Secret Key to Bitwarden:

rbw add "s3.c.varac.net|varac|${SVCACC_NAME}|accesskey"
rbw add "s3.c.varac.net|varac|${SVCACC_NAME}|secretkey"

Verify:

mc admin user svcacct info pinenas-pub-varac $SVCACC_NAME

Configure restic with ansible

• Create repo_key:

pwgen 32
rbw add "backup|restic|restic|repo_key|${HOST}|pinenas_pub"

• Add to inventory (also to the backup group)
• Add to host_vars/HOSTNAME/default.yaml:
  • ansible_become_pass
  • restic_repo_keys_pinenas_pub_name
  • restic.s3.bucket
  • restic.s3.keyname
• Run ansible: ansible-playbook -l $HOST -t restic site.yml