This repository contains a set of shell scripts to maintain backups of a server using restic. Main features:
- Filesystem backups with restic
- SQL backups of MySQL databases using
mysqldump - SQL backups of PostgreSQL databases using
pgdump - Intended to run daily from
cron - Will purge old backups to a retention policy
- Optional integration with healthchecks.io
- Handles transient files with a separate retention policy
Currently in use in production backing up an Ubuntu 18.04 server to Backblaze B2.
Create a Unix user who will execute the backup jobs:
adduser --disabled-password restic
Follow the instructions
in the restic documentation
to download the latest restic binary from the project's
releases page,
install it in the bin directory of the user you just created,
and give the restic binary permission to access the filesystem as root.
Now switch user to the restic user and clone this repository:
su - restic
git clone https://github.com/mhw/restic-backup-scripts
Create a ~/.env.restic file and fill it in with the key needed to
access your storage, and the restic repository in it:
cd restic-backup-scripts
cp sample.env.restic ~/.env.restic
dd if=/dev/urandom bs=15 count=1 2>/dev/null | openssl enc -a >~/.restic.pwd
chmod o-r ~/.restic.pwd
vi ~/.env.restic
Note: the contents of the ~/.restic.pwd file is required to access
the whole restic repository.
Take appropriate precautions to protect it.
Once you've got the environment set up correctly you'll need to initialise the restic repository:
. ~/.env.restic
restic init
# if using a separate repository for transient files
restic -r $RESTIC_TRANSIENT_REPOSITORY init
The sample assumes Backblaze B2 is being used as restic storage provider; replace setting as appropriate for your chosen storage provider.
Source .env.restic from .bashrc if you want to be able to run restic
easily from the command line.
Comment out or remove lines in all-backups.sh that you do not need.
For example, if you do not have a MySQL database, comment out the
./mysql-backup.sh line.
Copy the sample.files-backup.sh file to files-backup.sh:
cp sample.files-backup.sh files-backup.sh
Customise the restic command lines as necessary:
replace /where/the/important/files/are with the path to the
important files you need to backup.
Update or remove the second restic command and the lines
mentioning transient-log-files if you do not need an alternative
retention policy for transient files.
Create a MySQL user for the Unix user, and grant the necessary privileges:
create user 'restic'@'localhost';
grant process on *.* to 'restic'@'localhost';
grant lock tables, select, show view, event, trigger on app_production.* to 'restic'@'localhost';
The global PROCESS privilege is required to use mysqldump without the
--no-tablespaces option.
Create a PostgreSQL role for the Unix user, and grant the necessary
privileges. Connecting as the postgres user:
create role restic with login;
For each database to be dumped (app_production below):
grant connect on database app_production to restic;
\c app_production
set role app_production;
(This assumes your data is stored in a database named app_production,
and that the role app_production owns the schema objects within the
database.)
Typically all an application's schema objects will be in the public schema.
To give restic access to these objects run the following commands for the
public schema and any additional schemas used in your database.
grant usage on schema public to restic;
grant select on all tables in schema public to restic;
alter default privileges in schema public grant select on tables to restic;
grant select on all sequences in schema public to restic;
alter default privileges in schema public grant select on sequences to restic;
The alter default privileges commands included above will grant the
necessary privileges on schema objects created in the future,
but only when those schema objects are created by the app_production
role.
Edit the user's crontab: crontab -e. Use a line like this:
30 2 * * * /home/restic/restic-backup-scripts/all-backups.sh
To use healthchecks.io to monitor your backups
use the Makefile to download a copy of
runitor.
Just run make and it should pull a release down.
Update the variables in the Makefile to choose a different platform or version.
Then use a crontab line like this:
30 2 * * * cd /home/restic/restic-backup-scripts; ./runitor -uuid 2f9-a5c-0123 -silent -- ./all-backups.sh
Substitute a valid check UUID from healthchecks.io in the command above.
You might have files that change entirely between backups, such as a log
file that is rotated nightly and compressed a day or so later.
Backing this file up every day will make your restic repository grow
rapidly.
One strategy is to list these transient files in a file that is passed
to restic's --exclude-file option,
then run a second backup with an additional transient tag passing the same
file to the --files-from option.
This is illustrated in the sample.files-backup.sh script.