Rsync.net offers an advanced, cheaper plan for expert users who don’t need support and want to use restic to back up their data. They additionally allow using rclone serve, which enables backing up with an append-only key. This means that ransomware attacks can’t corrupt earlier data.
This article is very rough and mostly meant as my personal notes rather than a guide. I have it published here as it collects information from various sources and might be useful to you as an advanced reader. If something is unclear or you have suggestions, please reach out!
Generate keys
We’ll need two SSH keys (one master key that should not be kept on your device and one append-only key) and a passphrase.
ssh-keygen -t ed25519 -C rsync-master
ssh-keygen -t ed25519 -C restic-append-only
openssl rand -base64 32
The randomly generated data will be used as our restic repository password. My backups originate from OS X, and I like to
store this password in Keychain Access. Create an item in your login keychain called restic-password with the contents.
SSH configuration
We need to create our authorized_keys file to hold the master key and the append-only key with a restricted command:
ssh-ed25519 the-key rsync-master
restrict,command="rclone serve restic --stdio --append-only data" ssh-ed25519 the-append-only-key restic-append-only
Here, data is the name of the folder that will hold my restic data on the rsync.net server. Note that this file needs to
be chmoded to 600 and uploaded to rysnc.net under .ssh/.
My local ~/.ssh/config file looks like this:
Host *
IdentitiesOnly yes
Host rs
User xxxx
HostName xxxx.rsync.net
IdentityFile ~/.ssh/rsync-master
Host rsync
User xxxx
HostName xxxx.rsync.net
IdentityFile ~/.ssh/restic-append-only
(After setup, I’ll remove the rsync-master key from my computer and keep it in a safe place).
Restic init
From your local machine,
brew install restic
export RESTIC_PASSWORD_COMMAND="security find-generic-password -a $USER -s restic-password -w"
restic -r sftp:rs:data init
This will initialize the repository. You should NOT be prompted for a password. If you were, something’s wrong.
Automating backups
We now have an initialized restic repository and we can back up and restore data to it.
I have some helper functions in my PATH. Here’s the entirety of it:
restic-env() {
export RESTIC_REPOSITORY="sftp:rsync:data"
export RESTIC_PASSWORD_COMMAND="security find-generic-password -a $USER -s restic-password -w"
}
restic-master-env() {
export RESTIC_REPOSITORY="sftp:rs:data"
export RESTIC_PASSWORD_COMMAND="security find-generic-password -a $USER -s restic-password -w"
}
restic-list() {
restic-env
restic --option=rclone.program="ssh rsync" --repo=rclone: snapshots
}
restic-backup() {
restic-env
restic --option=rclone.program="ssh rsync" --repo=rclone: backup \
"/Users/andre/some/path/" \
"/Users/andre/.ssh/" \
"/Users/andre/Library/Keychains/" \
"/Users/andre/other/path" \
}
restic-prune() {
restic-env
restic --option=rclone.program="ssh rsync" --repo=rclone: forget \
--keep-within 14d \
--keep-hourly 24 \
--keep-daily 31 \
--keep-weekly 52
}
Next, a script that backs up and prunes (~/.dotfiles/bin/restic-launchctl.zsh):
#!/bin/bash
echo "Last run: $(date)" > /var/log/restic/restic
source /Users/andre/.dotfiles/bin/restic.zsh
restic-backup
restic-prune
Finally, a launchctl configuration (~/Library/LaunchAgents/restic.plist):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>restic.plist</string>
<key>RunAtLoad</key>
<true/>
<key>StartCalendarInterval</key>
<array>
<dict>
<key>Minute</key>
<integer>35</integer>
</dict>
</array>
<key>EnvironmentVariables</key>
<dict>
<key>PATH</key>
<string><![CDATA[/opt/homebrew/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin]]></string>
</dict>
<key>WorkingDirectory</key>
<string>/Users/andre</string>
<key>ProgramArguments</key>
<array>
<string>/Users/andre/.dotfiles/bin/restic-launchctl.zsh</string>
</array>
</dict>
</plist>
Tie it all together:
sudo mkdir /var/log/restic
sudo chown $USER /var/log/restic
launchctl load ~/Library/LaunchAgents/restic.plist
Wrap up
Remove the master key from your machine and keep it safe. If that key’s compromised, data could actually be deleted from rsync.net. Normal backups and pruning will use the append-only key (which means data will forever grow - you can periodically prune with the master key to actually remove the data).