aboutsummaryrefslogtreecommitdiff
path: root/op_guide/restic/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'op_guide/restic/README.md')
-rw-r--r--op_guide/restic/README.md186
1 files changed, 0 insertions, 186 deletions
diff --git a/op_guide/restic/README.md b/op_guide/restic/README.md
deleted file mode 100644
index f8fb658..0000000
--- a/op_guide/restic/README.md
+++ /dev/null
@@ -1,186 +0,0 @@
-Add the admin account as `deuxfleurs` to your `~/.mc/config` file
-
-You need to choose some names/identifiers:
-
-```bash
-export ENDPOINT="https://s3.garage.tld"
-export SERVICE_NAME="example"
-
-
-export BUCKET_NAME="backups-${SERVICE_NAME}"
-export NEW_ACCESS_KEY_ID="key-${SERVICE_NAME}"
-export NEW_SECRET_ACCESS_KEY=$(openssl rand -base64 32)
-export POLICY_NAME="policy-$BUCKET_NAME"
-```
-
-Create a new bucket:
-
-```bash
-mc mb deuxfleurs/$BUCKET_NAME
-```
-
-Create a new user:
-
-```bash
-mc admin user add deuxfleurs $NEW_ACCESS_KEY_ID $NEW_SECRET_ACCESS_KEY
-```
-
-Add this new user to your `~/.mc/config.json`, run this command before to generate the snippet to copy/paste:
-
-```
-cat > /dev/stdout <<EOF
-"$NEW_ACCESS_KEY_ID": {
- "url": "https://$ENDPOINT",
- "accessKey": "$NEW_ACCESS_KEY_ID",
- "secretKey": "$NEW_SECRET_ACCESS_KEY",
- "api": "S3v4",
- "path": "auto"
-},
-EOF
-```
-
----
-
-Create a policy for this bucket and save it as json:
-
-```bash
-cat > /tmp/policy.json <<EOF
-{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "s3:ListBucket"
- ],
- "Resource": [
- "arn:aws:s3:::${BUCKET_NAME}"
- ]
- },
- {
- "Effect": "Allow",
- "Action": [
- "s3:*"
- ],
- "Resource": [
- "arn:aws:s3:::${BUCKET_NAME}/*"
- ]
- }
- ]
-}
-EOF
-```
-
-Register it:
-
-```bash
-mc admin policy add deuxfleurs $POLICY_NAME /tmp/policy.json
-```
-
-Set it to your user:
-
-```bash
-mc admin policy set deuxfleurs $POLICY_NAME user=${NEW_ACCESS_KEY_ID}
-```
-
-Now it should display *only* your new bucket when running:
-
-```bash
-mc ls $NEW_ACCESS_KEY_ID
-```
-
----
-
-Now we need to initialize the repository with restic.
-
-```bash
-export AWS_ACCESS_KEY_ID=$NEW_ACCESS_KEY_ID
-export AWS_SECRET_ACCESS_KEY=$NEW_SECRET_ACCESS_KEY
-export RESTIC_REPOSITORY="s3:$ENDPOINT/$BUCKET_NAME"
-export RESTIC_PASSWORD=$(openssl rand -base64 32)
-```
-
-Save the password:
-
-```bash
-echo $RESTIC_PASSWORD
-pass deuxfleurs/backups/$SERVICE_NAME/restic_password
-# ctrl + c -> ctrl + v
-cd ~/.password-store/deuxfleurs/
-git pull ; git push
-cd -
-```
-
-Then init the repo for restic from your machine:
-
-```
-restic init
-```
-
-*I am using restic version `restic 0.12.1 compiled with go1.16.9 on linux/amd64`*
-
-See your snapshots with:
-
-```
-restic snapshots
-```
-
-Check also these useful commands:
-
-```
-restic ls
-restic diff
-restic help
-```
-
----
-
-Add the secrets to Consul, near your service secrets.
-The idea is that the backuping service is a component of the global running service.
-You must run in `app/<name>/secrets/<subpath>`:
-
-```bash
-echo "USER Backup AWS access key ID" > backup_aws_access_key_id
-echo "USER Backup AWS secret access key" > backup_aws_secret_access_key
-echo "USER Restic repository, eg. s3:https://s3.garage.tld" > backup_restic_repository
-echo "USER Restic password to encrypt backups" > backup_restic_password
-```
-
-Then run secretmgr:
-
-```bash
-# Spawning a nix shell is an easy way to get all the dependencies you need
-nix-shell
-
-# Check that secretmgr works for you
-python3 secretmgr.py check <name>
-
-# Now interactively feed the secrets
-python3 secretmgr.py gen <name>
-```
-
----
-
-Now we need a service that runs:
-
-```
-restic backup .
-```
-
-
-Find an existing .hcl declaration that uses restic in this repository or in the Deuxfleurs/nixcfg repository
-to use it as an example.
-
-
-And also that garbage collect snapshots.
-I propose:
-
-```
-restic forget --prune --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y
-```
-
-Also try to restore a snapshot:
-
-```
-restic restore <snapshot id> --target /tmp/$SERVICE_NAME
-```