I want to be able to remote-control the launch of a restic backup via SSH from a “controlled” client (“C” in the diagram below) while being able to access the actual backup directly from “C”. The remote control is used so as to not have to keep the password of restic’s backend on the machines in the center.
In this instance, the backup server is the rest-server as it’s the fastest restic backend.
The client exports the password for the backend store as an environment variable. Our SSH server already accepts LC_
environment variables so we use one of those:
On the machines which will be backed up (in the center of the diagram), I have an authorized_keys
entry for a dedicated user:
The small shell script does a bit of logging and sets the correct environment variable for restic to authenticate to its destination REST server before actually running the backup:
This small script can optionally check $SSH_ORIGINAL_COMMAND
to determine which portion of the system respectively which database it should back up.
On the controlling side (the “C” at the top of the diagram), I kick the backup this via
I’ve also prototyped a very similar setup with BorgBackup because we just might decide to use that in this particular case as pruning is quite a bit faster, and we’re interested in the different compression methods it has to offer.