diff options
author | Quentin Dufour <quentin@deuxfleurs.fr> | 2022-05-16 18:37:52 +0200 |
---|---|---|
committer | Quentin Dufour <quentin@deuxfleurs.fr> | 2022-05-16 18:37:52 +0200 |
commit | 1a5b62d254a364c34cf6b8d346cd829acb398bf4 (patch) | |
tree | 8d9457e5efe5f9c83fa3a8819c2b112d3491e534 /content/operations/sauvegardes/restic.md | |
parent | 478bbc9dad2969386ee6f168c9e7a0a14c4d1f9a (diff) | |
download | guide.deuxfleurs.fr-1a5b62d254a364c34cf6b8d346cd829acb398bf4.tar.gz guide.deuxfleurs.fr-1a5b62d254a364c34cf6b8d346cd829acb398bf4.zip |
Ajout doc sauvegarde
Diffstat (limited to 'content/operations/sauvegardes/restic.md')
-rw-r--r-- | content/operations/sauvegardes/restic.md | 171 |
1 files changed, 171 insertions, 0 deletions
diff --git a/content/operations/sauvegardes/restic.md b/content/operations/sauvegardes/restic.md new file mode 100644 index 0000000..f959541 --- /dev/null +++ b/content/operations/sauvegardes/restic.md @@ -0,0 +1,171 @@ ++++ +title = "restic" +description = "restic" +weight = 10 ++++ + + +Add the admin account as `deuxfleurs` to your `~/.mc/config` file + +You need to choose some names/identifiers: + +```bash +export ENDPOINT="https://s3.garage.tld" +export SERVICE_NAME="example" + + +export BUCKET_NAME="backups-${SERVICE_NAME}" +export NEW_ACCESS_KEY_ID="key-${SERVICE_NAME}" +export NEW_SECRET_ACCESS_KEY=$(openssl rand -base64 32) +export POLICY_NAME="policy-$BUCKET_NAME" +``` + +Create a new bucket: + +```bash +mc mb deuxfleurs/$BUCKET_NAME +``` + +Create a new user: + +```bash +mc admin user add deuxfleurs $NEW_ACCESS_KEY_ID $NEW_SECRET_ACCESS_KEY +``` + +Add this new user to your `~/.mc/config.json`, run this command before to generate the snippet to copy/paste: + +``` +cat > /dev/stdout <<EOF +"$NEW_ACCESS_KEY_ID": { + "url": "$ENDPOINT", + "accessKey": "$NEW_ACCESS_KEY_ID", + "secretKey": "$NEW_SECRET_ACCESS_KEY", + "api": "S3v4", + "path": "auto" +}, +EOF +``` + +--- + +Create a policy for this bucket and save it as json: + +```bash +cat > /tmp/policy.json <<EOF +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::${BUCKET_NAME}" + ] + }, + { + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::${BUCKET_NAME}/*" + ] + } + ] +} +EOF +``` + +Register it: + +```bash +mc admin policy add deuxfleurs $POLICY_NAME /tmp/policy.json +``` + +Set it to your user: + +```bash +mc admin policy set deuxfleurs $POLICY_NAME user=${NEW_ACCESS_KEY_ID} +``` + +Now it should display *only* your new bucket when running: + +```bash +mc ls $NEW_ACCESS_KEY_ID +``` + +--- + +Now we need to initialize the repository with restic. + +```bash +export AWS_ACCESS_KEY_ID=$NEW_ACCESS_KEY_ID +export AWS_SECRET_ACCESS_KEY=$NEW_SECRET_ACCESS_KEY +export RESTIC_REPOSITORY="s3:$ENDPOINT/$BUCKET_NAME" +export RESTIC_PASSWORD=$(openssl rand -base64 32) +``` + +Then init the repo for restic from your machine: + +``` +restic init +``` + +*I am using restic version `restic 0.12.1 compiled with go1.16.9 on linux/amd64`* + +See your snapshots with: + +``` +restic snapshots +``` + +Check also these useful commands: + +``` +restic ls +restic diff +restic help +``` + +--- + +Add the secrets to Consul, near your service secrets. +The idea is that the backuping service is a component of the global running service. +You must run in `app/<name>/secrets/<subpath>`: + +```bash +echo "USER Backup AWS access key ID" > backup_aws_access_key_id +echo "USER Backup AWS secret access key" > backup_aws_secret_access_key +echo "USER Restic repository, eg. s3:https://s3.garage.tld" > backup_restic_repository +echo "USER Restic password to encrypt backups" > backup_restic_password +``` + +Then run secretmgr: + +```bash +# Spawning a nix shell is an easy way to get all the dependencies you need +nix-shell + +# Check that secretmgr works for you +python3 secretmgr.py check <name> + +# Now interactively feed the secrets +python3 secretmgr.py gen <name> +``` + +--- + +Now we need a service that runs: + +``` +restic backup . +``` + +And also that garbage collect snapshots. +I propose: + +``` +restic forget --prune --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y +``` |