restic is a cross-platform command-line backup solution.

Concepts

Users and Passwords

Three levels of authentication:

1. Server: public_key (and private_key) files generated by openssl command.
2. Client: PC_NAME and PC_PASSWORD identify the client PC. Chosen manually.
3. Repo: repo_password.txt protects each repo. Generated by resticprofile generate.

Components

Server

The rest-server is the optional server component. Repo and Docker image.

QNAP Container Station

Installation instructions.

Container Settings

• Mode: Advanced
• Image: restic/rest-server
• Publish network ports: Host: 38000, Container: 8000 TCP
• Advanced Settings:
  • Environment:
    • OPTIONS: –tls
  • Storage: Host: /Backup, Container: /data RW

(The other installation instructions included –private-repos in OPTIONS but I want to be able to share backups between client PCs.)

SSH Commands

openssl req -newkey rsa:2048 -nodes -x509 \
    -keyout private_key \
    -out public_key \
    -days 36500 \
    -addext "subjectAltName = IP:QNAP_IP,DNS:qnap"

docker exec -it rest-server create_user PC_NAME PC_PASSWORD

PC_PASSWORD is a new password.

In theory containers can run as non-admin users (doc) but this depends on either

• the container supporting environment variables (UID/GID/PUID/PGID)
• Container Station allowing specification of Docker exec –user parameter (example). Currently seems not.
• maybe creating a custom entrypoint.sh?

Client

restic is the command line backup. Docs and downloads.

restic --cacert public_key -r rest:https://PC_NAME:PC_PASSWORD@QNAP_IP:38000/Documents/ --password-file=repo_password.txt init

repo_password.txt contains a new password to protect the repo

Client Profiles

resticprofile is a wrapper round restic client. Doc and repo.

resticprofile generate –random-key > repo_password.txt

GUI

Recommendation is web interface Backrest (repo). I got “not supported” error when running on Windows. Possibly needs better installer. I gave up for now.