Restic configuration setup

Bhupal · September 20, 2022, 4:23pm

Hi i am able to download the restic module from syseleven/restic · Puppet module to configure Restic systemd service to backup/forget/restore data. · Puppet Forge

and installing via puppet is good but while taking simple backup i am unable to reload the backup service.

Example:

Initialize Restic repository only on an S3 Bucket

---
classes:
  - restic

restic::repositories:
  some_repo1:
    enable_backup: false
    id: a3f5173hdsks934
    key: y7ahajhsd3uzasa
    password: yxcvasdf1234
    host: some.host.name
    bucket: bucket_name/backup1

Add a simple backup

Configure a repository and backup 2 directories

---
classes:
  - restic

restic::repositories:
  some_repo2:
    backup_path:
      - /full/path/1
      - /some/other/path
    backup_timer: Mon..Sun 20:00:00
    bucket: bucket_name/backup1
    host: some.host.name
    id: a3f5173hdsks934
    key: y7ahajhsd3uzasa
    password: yxcvasdf1234

Error:

etc/systemd/system # systemctl status restic_backup_etc.service
● restic_backup_etc.service
Loaded: loaded (/etc/systemd/system/restic_backup_etc.service; static; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2022-09-20 14:58:13 UTC; 1h 14min ago
Main PID: 3755383 (code=exited, status=1/FAILURE)](http://xxxxxxxxx/) systemd[1]: Starting restic_backup_etc.service…
restic[3755383]: Fatal: unable to open config file: Stat: The Access Key Id you provided does not exist in our records.
: Is there a repository at the following location?
restic[3755383]: s3:http://ip:port/restic/xxxxxxxxx
systemd[1]: restic_backup_etc.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: restic_backup_etc.service: Failed with result ‘exit-code’.
systemd[1]: Failed to start restic_backup_etc.service.

MichaelEischer · September 21, 2022, 8:21pm

It looks like there’s something wrong with the credentials to access S3.

Bhupal · October 26, 2022, 9:10pm

the file repository.pp file

# @summary
#   Configure a Restic service to backup/forget/restore data.
#
# @api private
#
define restic::repository (
  Variant[Array[String[1]],String[1]] $backup_flags     = $restic::backup_flags,
  Optional[Restic::Path]              $backup_path      = $restic::backup_path,
  Optional[String[1]]                 $backup_pre_cmd   = $restic::backup_pre_cmd,
  Optional[String[1]]                 $backup_post_cmd  = $restic::backup_post_cmd,
  Optional[String[1]]                 $backup_timer     = $restic::backup_timer,
  Stdlib::Absolutepath                $binary           = $restic::binary,
  Optional[String]                    $bucket           = $restic::bucket,
  Boolean                             $enable_backup    = $restic::enable_backup,
  Boolean                             $enable_forget    = $restic::enable_forget,
  Boolean                             $enable_restore   = $restic::enable_restore,
  Restic::Forget                      $forget           = $restic::forget,
  Variant[Array[String[1]],String[1]] $forget_flags     = $restic::forget_flags,
  Optional[String[1]]                 $forget_pre_cmd   = $restic::forget_pre_cmd,
  Optional[String[1]]                 $forget_post_cmd  = $restic::forget_post_cmd,
  Optional[String[1]]                 $forget_timer     = $restic::forget_timer,
  Variant[Array[String[1]],String[1]] $global_flags     = $restic::global_flags,
  String                              $group            = $restic::group,
  Optional[String]                    $host             = $restic::host,
  Optional[String]                    $id               = $restic::id,
  Boolean                             $init_repo        = $restic::init_repo,
  Optional[String]                    $key              = $restic::key,
  Optional[String]                    $password         = $restic::password,
  Boolean                             $prune            = $restic::prune,
  Variant[Array[String[1]],String[1]] $restore_flags    = $restic::restore_flags,
  Optional[Stdlib::Absolutepath]      $restore_path     = $restic::restore_path,
  Optional[String[1]]                 $restore_pre_cmd  = $restic::restore_pre_cmd,
  Optional[String[1]]                 $restore_post_cmd = $restic::restore_post_cmd,
  String[1]                           $restore_snapshot = $restic::restore_snapshot,
  Optional[String[1]]                 $restore_timer    = $restic::restore_timer,
  Restic::Repository::Type            $type             = $restic::type,
  String[1]                           $user             = $restic::user,
) {
  assert_private()

  if $enable_backup and $backup_path == undef {
    fail("restic::repository[${title}]: You have to set \$backup_path if you enable the backup!")
  }

  if $enable_restore and $restore_path == undef {
    fail("restic::repository[${title}]: You have to set \$restore_path if you enable the restore!")
  }

  $repository  = "${type}:${host}/${bucket}"
  $config_file = "/etc/default/restic_${title}"

  if $init_repo {
    exec { "restic_init_${repository}_${title}":
      command     => "${binary} init",
      environment => [
      "AWS_ACCESS_KEY_ID=${id}",
      "AWS_SECRET_ACCESS_KEY=${key}",
      "RESTIC_PASSWORD=${password}",
      "RESTIC_REPOSITORY=${repository}",
      ],
      onlyif      => "${binary} snapshots 2>&1 | grep -q 'Is there a repository at the following location'",
    }
  }

  if $enable_backup or $enable_forget or $enable_restore {
    concat { $config_file:
      ensure         => 'present',
      ensure_newline => true,
      group          => 'root',
      mode           => '0440',
      owner          => 'root',
      show_diff      => true,
    }

    $config_keys = {
      'AWS_ACCESS_KEY_ID'     => Sensitive($id),
      'AWS_SECRET_ACCESS_KEY' => Sensitive($key),
      'GLOBAL_FLAGS'          => [ $global_flags, ].flatten.join(' '),
      'RESTIC_PASSWORD'       => Sensitive($password),
      'RESTIC_REPOSITORY'     => $repository,
    }

    $config_keys.each |$config,$data| {
      concat::fragment { "restic_fragment_${title}_${config}":
        content => "${config}='${data.unwrap}'",
        target  => $config_file,
      }
    }
  } else {
    concat { $config_file:
      ensure => 'absent',
    }
  }

  ##
  ## backup service
  ##
  $backup_commands = [
    $backup_pre_cmd,
    "${binary} backup \$GLOBAL_FLAGS \$BACKUP_FLAGS",
    $backup_post_cmd,
  ].delete_undef_values

  $backup_keys = {
    'BACKUP_FLAGS' => [ $backup_flags, $backup_path, ].flatten.join(' '),
  }

  restic::service { "restic_backup_${title}":
    commands => $backup_commands.delete_undef_values,
    config   => $config_file,
    configs  => $backup_keys,
    enable   => $enable_backup,
    group    => $group,
    timer    => $backup_timer,
    user     => $user,
  }

  ##
  ## forget service
  ##
  $forget_commands = [
    $forget_pre_cmd,
    "${binary} forget \$GLOBAL_FLAGS \$FORGET_FLAGS",
    $forget_post_cmd,
  ]

  $forgets       = $forget.map |$k,$v| { "--${k} ${v}" }
  $forget_prune  = if $prune { '--prune' } else { undef }
  $forget_keys   = {
    'FORGET_FLAGS' => [ $forgets, $forget_prune, $forget_flags, ].delete_undef_values.flatten.join(' '),
  }

  restic::service { "restic_forget_${title}":
    commands => $forget_commands.delete_undef_values,
    config   => $config_file,
    configs  => $forget_keys,
    enable   => $enable_forget,
    group    => $group,
    timer    => $forget_timer,
    user     => $user,
  }

  ##
  ## restore service
  ##
  $restore_commands = [
    $restore_pre_cmd,
    "${binary} restore \$GLOBAL_FLAGS \$RESTORE_FLAGS",
    $restore_post_cmd,
  ]

  $restore_keys = {
    'RESTORE_FLAGS' => [ "-t ${restore_path}", $restore_flags, $restore_snapshot, ].flatten.join(' '),
  }

  restic::service { "restic_restore_${title}":
    commands => $restore_commands.delete_undef_values,
    config   => $config_file,
    configs  => $restore_keys,
    enable   => $enable_restore,
    group    => $group,
    timer    => $restore_timer,
    user     => $user,
  }
}

if I do data unwrap it is able to backup and I see the access key and secret key is in readable format and if the data is wrap it is not able to backup and keys are hardcoded. for example file which modified in “repository.pp”:

wrap$config_keys.each |$config,$data| {
  concat::fragment { "restic_fragment_${title}_${config}":
  content => "${config}='${data.unwrap}'",
  target  => $config_file,
}

rawtaz · October 26, 2022, 9:38pm

@Bhupal We cannot debug Perl code for you, you’ll have to investigate this yourself. Look at the environment variables and the exact command that is actually run in the end, by your script. As it looks now, the proper credentials are not given to restic.

Another thing you can do is to run restic manually with your credentials, to verify that they do work as intended and that you do have the access you need using those credentials. Simply run it manually on the command line, with the proper environment variables etc for your cloud service.

EDIT: I fixed the formatting in your previous reply to make it readable.