I did something like git-like public hosting for my backups. Each machine uses its own ssh key (this can be easily automated). On the backup server I run
rclone as a
restic backend. Each server connects as
The backups are located in
/srv/backup/HOST, to force the use of
rclone I put this on the
no-X11-forwarding,no-port-forwarding,no-agent-forwarding,no-pty,no-user-rc,command="/usr/bin/rclone serve restic --stdio /srv/backup/HOST" ssh-ed25519 ... SERVER1
If you want a better security you can make sure
restic user cannot modify its own key file by adding this in
Match User restic
And put all the ssh key in
/etc/ssh/authorized_keys/restic owned by
root.restic with perms
Now you have to invoke
restic --repo "rclone:" --option "rclone.program=ssh -i /path/to/ssh/key restic@BACKUP_SERVER" ...
Hope that helps.