Mastodon
Hektorđź…­đź…Ż
Writings / Setting up a `restic` repository in a Backblaze B2 bucket

Wed, 12 Jul 2023

Setting up a `restic` repository in a Backblaze B2 bucket

#restic
#backup
#b2
#backblaze
Updated on Wed, 18 Oct 2023

This guide covers setting up backups to a Backblaze bucket using restic, (mostly covering the official documentation, see [1]). Here however, some additional suggestions are interleaved throughout as well as a simple automation approach.

  1. Create a Backblaze account (if you don’t already have one)

  2. Create a Backblaze application key (do not use the master key) and save the application ID & key (e.g. in a password manager)

  3. Create a file to store these credentials as environment variables (e.g. /etc/restic-env [^1])

# /etc/restic-env
export B2_ACCOUNT_ID="<app_id>"
export B2_ACCOUNT_KEY="<app_key>"
export RESTIC_REPOSITORY="b2:<bucket_name>:<path/to/repo>"
export RESTIC_PASSWORD="<restic repository password>"

Optional tip [2]: use pass to store the credentials in your password manager

gpg --list-keys
pass init <gpg_key_id>
pass insert "$HOSTNAME/B2_ACCOUNT_ID"
pass insert "$HOSTNAME/B2_ACCOUNT_KEY"
pass insert "$HOSTNAME/RESTIC_REPOSITORY"
pass insert "$HOSTNAME/RESTIC_PASSWORD"

In this case your env file would look like this:

export B2_ACCOUNT_ID="$(pass $HOSTNAME/B2_ACCOUNT_ID)"
export B2_ACCOUNT_KEY="$(pass $HOSTNAME/B2_ACCOUNT_KEY)"
export RESTIC_REPOSITORY="$(pass $HOSTNAME/RESTIC_REPOSITORY)"
export RESTIC_PASSWORD="$(pass $HOSTNAME/RESTIC_PASSWORD)"
  1. Create a bucket in Backblaze B2, as a suggestion, you could name them after the hostnames of your machines (e.g. desktop-arch, flex-arch, …) or you could create a single bucket with repositories (e.g. in top-level directories) for each machine.

Assuming you have restic installed, initialize a repository in the bucket you just created. Here we assume you’re initializing the repository from the machine with corresponding hostname. Change the "$HOSTNAME" part match the bucket name. Generally you can use

restic init --repo b2:"<bucket-name>:<path/to/repo>"

Or to create the repository in the root of the bucket.

restic init --repo b2:"<bucket-name>"

Here we opted for the latter (single bucket) approach so we use

restic init --repo b2:"<bucket-name>:$HOSTNAME"
  1. You will be asked to provide a password (not sure if you can get away with out one, but I would not recommend it) and optionally store it in your password manager. Note: this password should correspond to the one specified in the RESTIC_PASSWORD environment variable.

Automation

For life on easy mode, one can automate the backup process by creating a script as follows:

source /etc/restic-env
restic -r b2:"<bucket-name>:<path/to/repo>" 
  --tag "hektor" 
  --one-file-system 
  --files-from="$HOME/.resticinclude" 
  --exclude-file="$HOME/.resticexclude" 
  --verbose=3

If you don’t want to backup certain paths, you can specify a file containing them (similar to a .gitignore file). Conversely, you can point to a file containing paths you do want to backup. If not using the latter argument you can just specify the root of the directory you want to backup. See the documentation for details on the various arguments.

Run an initial backup using the script, note: you might have to use chmod+x to make it executable.

Maintenance, restoring and managing multiple hosts

See [2].

[^1]: Pro tips: when using version control (e.g. for a dotfiles repository), add this file to your .gitignore and track an example file (e.g. restic-env.example) with dummy values for future setups. Alternatively, attach the private file to a password manager entry. There might be even better —more automated— ways to do this (e.g. I am vaguely aware that Ansible vault could be a solution for this or KeepassXC might have additional features for this). Should you know of a better way, please let me know and I will explore it and perhaps mention it here.

Backblaze CLI tool (2023-10-18)

Apparently, backblaze provides a CLI tool, this could prove useful in automating the above setup. E.g. we can authorize as follows (here using an application key):

backblaze-b2 authorize-account "$(pass $HOSTNAME/B2_ACCOUNT_ID)" "$(pass $HOSTNAME/B2_ACCOUNT_KEY)"

Consequently, we can view our account info as follows

backblaze-b2 get-account-info

And more practically, we can list the contents of our created bucket as follows:

backblaze-b2 ls "$(pass $HOSTNAME/RESTIC_REPOSITORY)"
[1]
“Quickstart Guide for Restic and Backblaze B2 Cloud Storage,” Backblaze Help, Mar. 02, 2023. https://help.backblaze.com/hc/en-us/articles/4403944998811-Quickstart-Guide-for-Restic-and-Backblaze-B2-Cloud-Storage (accessed Jul. 12, 2023).
[2]
S. Hammond, “How I Use Restic to Back up My Home Folders to Backblaze B2,” seanh.cc, Apr. 03, 2022. https://www.seanh.cc/2022/04/03/restic/ (accessed Jul. 12, 2023).

Comments