Hi everyone
I have tried, and failed, to setup a rest-server in my older Arch Linux which I want to turn to a backup server.
rest-server version rest-server 0.13.0 compiled with go1.23.4 on linux/amd64 on backup server and restic 0.17.3 compiled with go1.23.3 on linux/amd64 on client computer.
Server works perfectly from command line:
restic-rest-server --path /media/backup/restic-repo --htpasswd-file /home/user/.server/.htpasswd --tls --tls-cert /home/user/.server/restic-public_key --tls-key /home/user/.server/restic-private_key
yet it does not work when I tried to set it up as a systemd
service. I tried both /etc/systemd/...
as well as ~/.config/systemd/user/...
location (adding user and group in the first case) and in both cases the service does not see the files in the file system:
-rw-rw-rw- 1 atzan 75 Dec 13 13:12 .htpasswd
-rw------- 1 atzan 1704 Dec 13 16:04 restic-private_key
-rw-r--r-- 1 atzan 1289 Dec 13 16:04 restic-public_key
System log:
Dec 16 10:29:45 archlinux systemd[657]: rest-server.service: Scheduled restart job, restart counter is at 21.
Dec 16 10:29:45 archlinux systemd[657]: Started Rest Server.
Dec 16 10:29:45 archlinux restic-rest-server[668091]: Data directory: /media/backup/restic-repo
Dec 16 10:29:45 archlinux restic-rest-server[668091]: Authentication enabled
Dec 16 10:29:45 archlinux restic-rest-server[668091]: error: cannot load /home/user/.server/.htpasswd (use --no-auth to disable): stat /home/user/.server/.htpasswd: permission d>
Dec 16 10:29:45 archlinux systemd[657]: rest-server.service: Main process exited, code=exited, status=1/FAILURE
Dec 16 10:29:45 archlinux systemd[657]: rest-server.service: Failed with result 'exit-code'.
and this is the rest-server.service file:
[Unit]
Description=Rest Server
#After=syslog.target
#After=network.target
Requires=rest-server.socket
After=rest-server.socket
[Service]
Type=simple
# You may prefer to use a different user or group on your system.
#WorkingDirectory=/home/user
ExecStart=restic-rest-server --path /media/backup/restic-repo --htpasswd-file /home/user/.server/.htpasswd --tls --tls-cert /home/user/.server/restic-public_key --tls-key /home/user/.server/restic-private_key
Restart=always
RestartSec=5
# The following options are available (in systemd v247) to restrict the
# actions of the rest-server.
# As a whole, the purpose of these are to provide an additional layer of
# security by mitigating any unknown security vulnerabilities which may exist
# in rest-server or in the libraries, tools and operating system components
# which it relies upon.
# IMPORTANT!
# The following line must be customised to your individual requirements.
# ReadWritePaths=/media/2TB-backup/restic-at-server-secondary
# Makes created files group-readable, but inaccessible by others
# UMask=027
# If your system doesn't support all of the features below (e.g. because of
# the use of an older version of systemd), you may wish to comment-out
# some of the lines below as appropriate.
CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=yes
# As the listen socket is created by systemd via the rest-server.socket unit, it is
# no longer necessary for rest-server to have access to the host network namespace.
PrivateNetwork=yes
PrivateTmp=yes
PrivateDevices=true
PrivateUsers=true
ProtectSystem=strict
ProtectHome=yes
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectHostname=true
RemoveIPC=true
RestrictNamespaces=true
RestrictAddressFamilies=none
#RestrictSUIDSGID=true
RestrictRealtime=true
# if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Additionally, you may wish to use some of the systemd options documented in
# systemd.resource-control(5) to limit the CPU, memory, file-system I/O and
# network I/O that the rest-server is permitted to consume according to the
# individual requirements of your installation.
#CPUQuota=25%
#MemoryHigh=bytes
#MemoryMax=bytes
#MemorySwapMax=bytes
#TasksMax=N
#IOReadBandwidthMax=device bytes
#IOWriteBandwidthMax=device bytes
#IOReadIOPSMax=device IOPS, IOWriteIOPSMax=device IOPS
#IPAccounting=true
#IPAddressAllow=
[Install]
WantedBy=multi-user.target
Any advice greatly appreciated.
AndreasT