Dynamically provide repo path to command in $RESTIC_PASSWORD_COMMAND ... including when repo was set via -r flag (not $RESTIC_REPOSITORY)

I’m managing a bunch of repos for many servers, and accessing multiple from a single server.

I use both the $RESTIC_REPOSITORY + $RESTIC_PASSWORD_COMMAND shell variables to change the command depending on which repo I’m working on. But wondering if there’s a way to not have to change $RESTIC_PASSWORD_COMMAND every time, especially when I’m doing lots of manual experimentation and changing the -r repo argument a lot.

i.e. Restic could give it an argument or set a shell variable itself that includes the path to the repo I’m accessing.

So let’s say I have a single shell script called get-any-restic-password.sh that can take a repo path like /tmp/repo1.restic and my script knows how to parse that path and return the password for repo1.restic

Then I could simply set this fixed variable up for Restic:

export RESTIC_PASSWORD_COMMAND="get-any-restic-password.sh _REPOPATH_"

And Restic would replace the _REPOPATH_ placeholder with whatever the repo path is, regardless of if it came from $RESTIC_REPOSITORY or a -r argument.

Hi :wave:

This sounds like a thing which a wrapper should manage instead of restic itself.
If I understand correctly, why not having an export_variables_for_repo.sh which should get the repo name you’d like and print all needed variables like:

.. any other extra variables like RESTIC_CACHE_DIR or AWS_* stuff as needed

So you can just use something like eval "$(export_variables_for_repo.sh myreponame)" to import correct variables to your shell?

I have all my restic passwords in KeePassXC, extracted by Linux’s secret-tool command. The key (name of the password entry) is simply the basename of the restic repo. So for /foo/bar/mydata.restic the entry name is mydata.

I simply run restic via a wrapper script that takes the repo name, parses it to get the password entry name (e.g., “mydata”), and sets the RESTIC_PASSWORD_COMMAND to secret-tool lookup Path mydata.