1
0
Fork
You've already forked backup
0
No description
Shell 43.5%
Just 41.7%
Dockerfile 14.8%
2025年12月14日 01:58:47 +01:00
config.in wip 2025年12月14日 01:58:47 +01:00
sysusers.d wip 2025年12月14日 01:58:47 +01:00
tmpfiles.d wip 2025年12月14日 01:58:47 +01:00
.env wip 2025年12月14日 01:58:47 +01:00
.gitignore wip 2025年12月14日 01:58:47 +01:00
Containerfile wip 2025年12月14日 01:58:47 +01:00
entrypoint.sh wip 2025年12月14日 01:58:47 +01:00
Justfile wip 2025年12月14日 01:58:47 +01:00
known_hosts wip 2025年12月14日 01:58:47 +01:00
README.md wip 2025年12月14日 01:58:47 +01:00
restic.container wip 2025年12月14日 01:58:47 +01:00
restic.sh wip 2025年12月14日 01:58:47 +01:00

This is an almost ready-to-go setup for backing up data to a Hetzner Storage Box using Restic in a Podman container.

How to use

Prerequisites

  • A Hetzner Storage Box
    • The features "SSH support" and "External Reachability" need to be enabled for your account.
    • A sub account will work as well. (You do not need to enable "SSH support" and "External Reachability" on the main account if you use a sub account.)
  • Podman
  • Just

Create config

  1. Create the restic user and its directories:

    just install

  2. Create the config using your Storage Box (sub) account name:

    just create-config <STORAGEBOX_ACCOUNT>

    This will create a directory config with the following:

    • A file storagebox-username.secret with your Storage Box (sub) account name
    • A file repository-password.secret with a random password for your Restic repository
    • A file ssh-private-key.secret, a new SSH key without a passphrase which Restic will use to connect to your Storage Box
    • A file authorized_keys.secret, which you need to copy into your Storage Box's ~/.ssh/authorized_keys file (see next step)

    Make sure to save the repository password in a secure location. Without it, you will not be able to access your backups.

  3. Copy the first three files (storagebox-username.secret, repository-password.secret, ssh-private-key.secret) into /etc/restic/private:

    just install-config

  4. Finally, copy the SSH public key to your storage box account:

    just install-authorized_keys <STORAGEBOX_ACCOUNT>

Caveats

Backup

The host is mounted at /run/host in the container. Thus, when giving Restic files to backup, you need to add /run/host in front of the full path (so that /home/foo would become /run/host/home/foo, for example).

This is a) clunky and b) makes Restic think that its parent directories have changed, even though they haven't.

What I have done instead is to set Restic's working directory to /run/host, so that you can simply omit the initial slash of the original path (so that /home/foo would become home/foo instead). This mitigates both issues.

Restore

Note that all backed-up paths begin with /run/host, so you probably want to restore using the restic restore <snapshot>:<subfolder> syntax. Unfortunately, the 'working directory trick' from the Backup section does not work for restoring files; you will need to give Restic the full absolute path.

As an example, the following incantation will restore the file /etc/os-release to /restore-test/etc/os-release.

restic restore latest:/run/host --target /run/host/restore-test /run/host/etc/os-release

If you do not use the <snapshot>:<subfolder> syntax:

restic restore latest --target /run/host/restore-test /run/host/etc/os-release

You will instead get /restore-test/run/host/etc/os-release.