Skip to content

Instantly share code, notes, and snippets.

@pgaskin

pgaskin/restic-systemd.md

Last active March 4, 2025 19:14
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save pgaskin/7e07d09daadae14a3070dd9b219dee06 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save pgaskin/7e07d09daadae14a3070dd9b219dee06 to your computer and use it in GitHub Desktop.
Download ZIP
Secure restic backups with systemd.
Raw
restic-systemd.md

restic systemd configuration

  1. sudo install -Dm644 [email protected] /etc/systemd/system/.
  2. For each target:
    • Place the options (exclude, etc) and paths in the variable BACKUP_OPTIONS="..." in /etc/restic/TARGET/config. Newlines can be escaped with backslashes.
    • Place the repository path in /etc/restic/TARGET/repository.
    • Place the repository password in /etc/restic/TARGET/password.
  3. To run the backups on a schedule, create a .timer file in /etc/systemd/system/ based on restic.timer.example, set the schedule and target unit, then systemctl enable --now whatever.timer.
  4. To run the backups manually, just systemctl start it.
  • Logs for the most recent execution will be stored in /var/log/restic/TARGET.log.
  • The credentials will be sercurely passed to restic, and will not be accessible to normal users via systemd IPC or the process list.
  • The restic process will be run as a dynamic restic user, and will have read-only access to all files on the system.
Raw
restic.timer.example
[Unit]
Description=Daily backup
[Timer]
OnCalendar=*-*-* 04:05:00
RandomizedDelaySec=5min
Persistent=true
[email protected]
[Install]
WantedBy=timers.target
Raw
[email protected]
[Unit]
Description=Restic backup (%i)
[Service]
Type=simple
Restart=no
AmbientCapabilities=CAP_DAC_READ_SEARCH
User=restic
Group=restic
DynamicUser=yes
LogsDirectory=restic
StandardOutput=truncate:/var/log/restic/%i.log
StandardError=truncate:/var/log/restic/%i.log
Environment=RESTIC_PROGRESS_FPS=1
ConfigurationDirectory=restic
ConfigurationDirectoryMode=0700
EnvironmentFile=/etc/restic/%i/config
LoadCredential=repository:/etc/restic/%i/repository
LoadCredential=password:/etc/restic/%i/password
CacheDirectory=restic
ExecStart=/usr/bin/restic --cache-dir "${CACHE_DIRECTORY}" --repository-file "${CREDENTIALS_DIRECTORY}/repository" --password-file "${CREDENTIALS_DIRECTORY}/password" --quiet --json backup $BACKUP_OPTIONS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment