2.4 KiB
Add the admin account as deuxfleurs
to your ~/.mc/config
file
You need to choose some names/identifiers:
export BUCKET_NAME=example
export NEW_ACCESS_KEY_ID=hello
export NEW_SECRET_ACCESS_KEY=$(openssl rand -base64 32)
export POLICY_NAME="policy-$BUCKET_NAME"
Create a new bucket:
mc mb deuxfleurs/$BUCKET_NAME
Create a new user:
mc admin user add deuxfleurs $NEW_ACCESS_KEY_ID $NEW_SECRET_ACCESS_KEY
Add this new user to your ~/.mc/config.json
file, as backup-user
for example.
Create a policy for this bucket and save it as json:
cat > /tmp/policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::${BUCKET_NAME}"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::${BUCKET_NAME}/*"
]
}
]
}
EOF
Register it:
mc admin policy add deuxfleurs $POLICY_NAME /tmp/policy.json
Set it to your user:
mc admin policy set deuxfleurs $POLICY_NAME user=${NEW_ACCESS_KEY_ID}
Now it should display only your new bucket when running:
mc ls backup-user/
Now we need to initialize the repository with restic.
export ENDPOINT="https://garage.tld"
export AWS_ACCESS_KEY_ID=$NEW_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$NEW_SECRET_ACCESS_KEY
export RESTIC_REPOSITORY="s3:$ENDPOINT/$BUCKET_NAME"
export RESTIC_PASSWORD=$(openssl rand -base64 32)
Then init the repo for restic from your machine:
restic init
I am using restic version restic 0.12.1 compiled with go1.16.9 on linux/amd64
See your snapshots with:
restic snapshots
Add the secrets to Consul, near your service secrets. The idea is that the backuping service is a component of the global running service. You must add:
backup_aws_access_key_id
backup_aws_secret_access_key
backup_restic_repository
backup_restic_password
Now we need a service that runs:
restic backup .
And also that garbage collect snapshots. I propose:
restic forget --prune --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y