Help needed to setup rest-server in Arch Linux

Hi everyone

I have tried, and failed, to setup a rest-server in my older Arch Linux which I want to turn to a backup server.

rest-server version rest-server 0.13.0 compiled with go1.23.4 on linux/amd64 on backup server and restic 0.17.3 compiled with go1.23.3 on linux/amd64 on client computer.

Server works perfectly from command line:

restic-rest-server --path /media/backup/restic-repo --htpasswd-file /home/user/.server/.htpasswd --tls --tls-cert /home/user/.server/restic-public_key --tls-key /home/user/.server/restic-private_key

yet it does not work when I tried to set it up as a systemd service. I tried both /etc/systemd/... as well as ~/.config/systemd/user/... location (adding user and group in the first case) and in both cases the service does not see the files in the file system:

-rw-rw-rw-  1 atzan   75 Dec 13 13:12 .htpasswd
-rw-------  1 atzan 1704 Dec 13 16:04 restic-private_key
-rw-r--r--  1 atzan 1289 Dec 13 16:04 restic-public_key

System log:

Dec 16 10:29:45 archlinux systemd[657]: rest-server.service: Scheduled restart job, restart counter is at 21.
Dec 16 10:29:45 archlinux systemd[657]: Started Rest Server.
Dec 16 10:29:45 archlinux restic-rest-server[668091]: Data directory: /media/backup/restic-repo
Dec 16 10:29:45 archlinux restic-rest-server[668091]: Authentication enabled
Dec 16 10:29:45 archlinux restic-rest-server[668091]: error: cannot load /home/user/.server/.htpasswd (use --no-auth to disable): stat /home/user/.server/.htpasswd: permission d>
Dec 16 10:29:45 archlinux systemd[657]: rest-server.service: Main process exited, code=exited, status=1/FAILURE
Dec 16 10:29:45 archlinux systemd[657]: rest-server.service: Failed with result 'exit-code'.

and this is the rest-server.service file:

[Unit]
Description=Rest Server
#After=syslog.target
#After=network.target
Requires=rest-server.socket
After=rest-server.socket

[Service]
Type=simple

# You may prefer to use a different user or group on your system.

#WorkingDirectory=/home/user
ExecStart=restic-rest-server --path /media/backup/restic-repo --htpasswd-file /home/user/.server/.htpasswd --tls --tls-cert /home/user/.server/restic-public_key --tls-key /home/user/.server/restic-private_key
Restart=always
RestartSec=5

# The following options are available (in systemd v247) to restrict the
# actions of the rest-server.

# As a whole, the purpose of these are to provide an additional layer of
# security by mitigating any unknown security vulnerabilities which may exist
# in rest-server or in the libraries, tools and operating system components
# which it relies upon.

# IMPORTANT!
# The following line must be customised to your individual requirements.
# ReadWritePaths=/media/2TB-backup/restic-at-server-secondary

# Makes created files group-readable, but inaccessible by others
# UMask=027

# If your system doesn't support all of the features below (e.g. because of
# the use of an older version of systemd), you may wish to comment-out
# some of the lines below as appropriate.
CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=yes

# As the listen socket is created by systemd via the rest-server.socket unit, it is
# no longer necessary for rest-server to have access to the host network namespace.
PrivateNetwork=yes

PrivateTmp=yes
PrivateDevices=true
PrivateUsers=true
ProtectSystem=strict
ProtectHome=yes
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectHostname=true
RemoveIPC=true
RestrictNamespaces=true
RestrictAddressFamilies=none
#RestrictSUIDSGID=true
RestrictRealtime=true
# if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host
SystemCallArchitectures=native
SystemCallFilter=@system-service

# Additionally, you may wish to use some of the systemd options documented in
# systemd.resource-control(5) to limit the CPU, memory, file-system I/O and
# network I/O that the rest-server is permitted to consume according to the
# individual requirements of your installation.
#CPUQuota=25%
#MemoryHigh=bytes
#MemoryMax=bytes
#MemorySwapMax=bytes
#TasksMax=N
#IOReadBandwidthMax=device bytes
#IOWriteBandwidthMax=device bytes
#IOReadIOPSMax=device IOPS, IOWriteIOPSMax=device IOPS
#IPAccounting=true
#IPAddressAllow=

[Install]
WantedBy=multi-user.target

Any advice greatly appreciated.

AndreasT

See this: Systemd ProtectHome & Allowing access to specific home directory - Unix & Linux Stack Exchange

Also make sure that the entire path to that file and the file are readable by the user the service runs as. Whether this is the case is not clear from the information you provided, so I’m just mentioning it :slight_smile:

Thanks rawtaz

the user the service runs as is the same user home directory where the files are located. You solved my issue and I feel stupid as I did not see the ProtectHome=yes duhhhh.

No worries, thanks for verifying the solution so others can benefit from it!