Backup via REST and locally

Getting Help
1

Pardon the title. I wasn’t sure what to call this and I’m not sure how to concisely explain.

Right now, I am using rclone to serve a rest service on my server so I can backup over my local network. Basically, I’m running something like the server (via systemd and a rclone service account):

rclone --config /etc/rclone/rclone.conf \
serve restic \
--addr 192.168.1.2:8080 \
--append-only \
--htpasswd /etc/rclone/htpasswd \
restic:/Volumes/storage/matt/backup/repos/shared

On the client, I’m running something like:

restic --cacert my_cert_bundle.pem \
-r rest:https://user:password@192.168.1.2:8080 \
backup ~/Documents/

This works as expected.

I’d also like to backup my server to the same repo. However, I’d rather not use the rest protocol since I have local access to the folder where the repo is stored and running locally is much faster. Basically, I’d like to run something like:

sudo -u restic restic backup \
--cacert my_cert_bundle.pem \
~/Documents/

This does not work due to permissions.

For more background, Rclone is running as an rclone user and I’m running restic as a restic user. I’ve tried putting restic in the rclone group while also trying various permission permutations on the shared repo directory (either having restic or rclone own it, setting group permissions, etc.). So far, nothing I’ve tried lets me use the shared repo via both protocols.

In summary:

  • If I use rest on client and server, it works.
  • If I start over and use local on server it works locally but not via rest.
  • If I use rest on client and local on server, rest works but local doesn’t.

Is it possible to use both rest and local backups on the same repo while using two different service accounts?

2

Yes, I think that’s possible, you’ll need to do the following:

  • Make sure both user accounts (rclone and restic) are in a shared group, e.g. backup
  • Set the permissions and ownership for the repo directory so that the group can write: chmod -R 770 /repo; chgrp -R backup /repo
  • When you run restic, make sure the current user account has the active group set to backup, e.g. with a shell script that you run via sudo -u restic -g backup:
    #!/bin/bash
newgrp backup
umask 007

restic backup ~/Documents/
  • When you run the REST server, make sure the umask and group are correct, e.g. again with a shell script:
    #!/bin/bash
newgrp backup
umask 007

rclone --config /etc/rclone/rclone.conf \
serve restic \
  --addr 192.168.1.2:8080 \
  --append-only \
  --htpasswd /etc/rclone/htpasswd \
  restic:/Volumes/storage/matt/backup/repos/shared

Newly created files from either process should then have the group set to backup with the correct permissions.

3

Thank you for the quick response. I will have to give this a go. Trying newgrp and umask didn’t occur to me, but I think it may work. I had tried putting both users in the same group and setting permissions to 770 (with shared group ownership).

4

Quick update on this. I was not able to get this to work. I’m not sure, but I think the issue may have been that my two service accounts had their shell set to /sbin/nologin and may have kep newgrp/umask from working as intended. Rather than continue to fight permissions and such, I decided to let my rclone service run as my restic user.