I struggle with the right way to backup /etc. Backing this up requires sudo permissions when running restic. My concern is with permissions on the restic repository: is the best practice to create separate repository in this case ? But what about remote (sftp/ssh) repositories: is the idea then to create seprate repositories for each machine being backed up ?
Hm there are quite a few basic questions in your post and there are no single right answers to them. Here’s my personal take:
Regarding /etc I usually have an extra pre-backup script that picks out the config files I want to backup and put them in a separate backup folder.
The general backup concept depends on your threat model and the possibilities you have. In general, backups should ideally be write only (as seen from the client), independent (separate infrastructure), isolated (separate authentication), versioned, verified and monitored. Remember that you really don’t want to backup but you want to be able to successfully (and maybe quickly) restore if s**t hits the fan.
restic makes most of this pretty easy when using rest-server in append-only mode. There are a ton of posts in here that discuss the rest of the questions at length. Whether you have different repos for clients is mostly a matter of organisation but also depends a little on how big those repos will become, who has access to what when restoring and whether you could benefit from deduplication in case you have similar files on the clients.
If you have some more information about your situation, maybe other people in here can share their take as well.
I have two answers to this:
- I consider the root folder part of the system which I would reinstall from scratch if need be. There are some files in /etc with a custom configuration (ssh, …). I keep a separate repository with those files which has the additional benefit that I can always compare if the installed version is like this separate reference. That’s a manual process and requires sudo rights.
- Additionally, I backup the files readable with user permissions via restic. An exclude file excludes all files which need sudo rights to access. Part of that file is listed below.
/etc/NetworkManager
/etc/default/cacerts
/etc/polkit-1/localauthority
/etc/polkit-1/rules.d
/etc/shadow*
/etc/ssh
/etc/ssl/private
/etc/sudoers*
/etc/ufw
1 Like