Restic/Rclone based append-only backup to multiple repos using single SSH-key

Getting Help
1

Setting
Two servers

  • dataserver: Server having different data to be backupped
  • backupserver: Server hosting backup repositories

Goal

  • Backup server provides single directory /path/to/basedir/
  • Data server may init repos and backup files to different repos laying in basedir
  • Auth via ssh keys
  • repos are append-only
  • Access to backupserver is constrained to usage by restic
  • There should be no need to add a new SSH-key and a new line in .ssh/authorized_keys for every repo

#Approach 1
Backup Server

rclone.conf
[databackup]
type = alias
remote = /path/to/basedir

Dataserver

restic  -o rclone.program="ssh backupserver rclone" -o rclone.args="serve restic --stdio --verbose --append-only" -r rclone:databackup:first_repo init
restic  -o rclone.program="ssh backupserver rclone" -o rclone.args="serve restic --stdio --verbose --append-only" -r rclone:databackup:second_repo init
...
  • Functional requirements fulfilled :heavy_check_mark:, security requirements not fulfilled since not enforced on backup server:
    • Append-only can be circumvented :x:
    • SSH-Access not restricted to restic/rclone :x:

#Approach 2
Backup Server
~/.ssh/authorized_keys

restrict,command="rclone serve restic --stdio --append-only --verbose databackup" ssh-rsa...

Data Server

restic  -o rclone.program="ssh backuphost"  -r rclone:first_repo init
  • Does not work: “Fatal: create repository at rclone: failed: Fatal: config file already exists” :x:

#Approach 3
Backup Server
rclone.conf

<empty>

~/.ssh/authorized_keys

restrict,command="rclone serve restic --stdio --append-only --verbose /path/to/basedir/" ssh-rsa...

Data Server

restic  -o rclone.program="ssh backuphost"  -r rclone:x init # "x" will be ignored
  • Security requirements fulfilled, functional requirements not fulfilled
  • Append-only enforced on server side :heavy_check_mark:
  • SSH-Access constrained to restic/rclone and /path/to/basedir :heavy_check_mark:
  • Does not allow multiple repos, /path/to/basedir will itself be initialized as repo :x:
    (This is effectively the solution provided by Append-only backups with restic and rclone)

Based on the mentioned non-perfect approaches, which approach could be used to fulfil the initially stated goal?