Posts tagged with “Restic” on Mark van Lent’s weblog

Restic at the center of my backups

2025-11-27T19:59:36Z

Some time ago I started using restic for creating backups of my home directory of my laptop. Now it has become my main solution for backing up my most valued data.

The old script

In the olden days, when I was still using CD-ROMs (or actually CD-RWs) to store backups, I had three snapshots (each a set of two CDs). When I created a new backup, I rotated them by overwriting the oldest disks.

My actual sets of CDs, last used in 2005: red was the most recent backup, yellow one version older and the set of CDs in the green case contains the oldest backup

Later on, when I was using an external hard disk, I had a script that made incremental backups using hard links so I could have multiple full backups, but not need x times the space. Unfortunately I lost that script.

After not creating backups for a while, I wrote a Bash script which handled the whole backup process:

opening the (LUKS encrypted) external drive,
mounting it,
performing the backup, and finally
unmounting and closing the device again.

The following line was handling the actual backing up:

rsync -av --delete --exclude-from=backup.excludes /home $MOUNT_DIR/$(hostname -s)/

Plain and simple.

This protected me from losing my data if my machine got stolen or if the hard drive failed. And it served me well for a number of years. But on multiple occasions I would have loved to have an older version of a file that got changed or even deleted before my last backup. This triggered me to look for another solution a few years back.

Restic to the rescue

Since I didn’t want to reinvent the wheel myself again, I was looking for backup solutions and ran across restic. After a bit of reading and experimenting, I basically replaced the rsync line from the previous script with the following:

restic -r $MOUNT_DIR --verbose backup "/home/${USER}" --exclude-file="/home/${USER}/backup.excludes"

And then I added a few more commands to the script:

“restic -r $MOUNT_DIR check” to check the repository for errors
“restic -r $MOUNT_DIR forget --keep-last 7 --prune” to only keep the last 7 snapshots

Benefits

What did this change bring me?

For starters, if we assume I make a backup each week, I can go back at least 7 weeks in time. In practice I’m not that consistent anymore so I can go back even further in time.

What’s more: according to restic each of my backups is about 105–100 GB of data. But due to the compression and deduplication these 7 (incremental) backups only use 69 GB combined.

Another benefit is that the backups are encrypted. So if I would want to store them in the cloud, I can be sure the cloud provider cannot access my data.

And speaking of which: while I use local storage (my external disk) and a remote REST Server (see below), restic supports a bunch of other backends: Amazon S3, Azure blob storage and Google Cloud Storage to name a few.

A backup is worth nothing if you cannot restore from it. Besides restoring a full snapshot, with restic I can also mount the snapshots to navigate the files and view them individualy. This allows me to browse around in my snapshot just like any other file system.

In case you had not noticed yet: I’ve become a fan of restic.

Next level

Initially I was only using restic to make backups of my laptop to an external hard drive. But recently I’ve taken it to a next level and use it for offsite backups as well.

HAproxy -> VPN tunnel -> Nginx -> Rest Server" width="150px"> I’ve put a computer at a remote location and run the Rest Server. In my local network I have a VM that acts as a transparent HTTP proxy and is connected to the remote box via VPN.

This way any local machine (like my NAS) only needs to be able to run restic and I’m good to go. I just point restic to the internal VM and it handles the VPN for me.

restic -r rest:https:///

The reason I put Nginx in front of the Rest Server is so that it can handle the authentication and TLS termination. Sure, the Rest Server itself can also do this, but I feel Nginx is more battle tested.

This setup allows me to automatically run my backups each night since I do not have to attach a USB disk. It also gives me an offsite backup, without a monthly bill from a storage provider. What’s more: it gives me a sense of control. I know exactly how everything works and if disaser strikes and I need to restore all my data, I can bring the remote machine home and have local access to it.

Setting this up was something I have been putting off for a while now, but this project is finally finished.

Useful resources

Some of the resources that helped me:

To be honest, I do not recall why I chose restic over BorgBackup (Borg for short) at the time. But if you are in the market for a tool to create backups with deduplication, compression and encryption, you might want to check out both projects and see which fits your situation best.

Open tabs — December 2022

2025-09-13T21:07:32Z

The end of the year is a nice time to review my open tabs on my phone and computer to see what’s worth saving and what is not. So here is another round.

Note that I do not necessarily endorse the articles or applications I link to. Most of the links to tools are here specifically because they seem interesting to me, but I have no actual experience with them—hence the need for a reminder on this list.

I have tried to group the links somewhat, but other than that they are listed in more or less random order.

Development

Autodocumenting Makefiles: A nice trick to document your Makefile. This article was also discussed on Hacker News.
gron: From the README: gron transforms JSON into discrete assignments to make it easier to grep for what you want and see the absolute ‘path’ to it. It eases the exploration of APIs that return large blobs of JSON but have terrible documentation.
asdf: A version manager for e.g. Ruby, Node.js, Python.
Shell Script Best Practices: Some rules of thumb for writing shell scripts which were also discussed on Hacker News.
How to change git default branch from master: I had to (or wanted to) switch from using the name “master” for my main branch to something else (“main” in most cases) for a couple of Git repositories. It is not hard, but if you do not do it often, it is convenient to have a guide like this to make sure you do not forget anything.

Blogs

Bitfield Consulting: I’m linking the whole website here since it has a bunch of nice Go related articles but also interesting articles in the blog.
Kristiāns Kronis’ blog: I have a couple of articles on this blog still open to (finish) reading, like Using Ubuntu as the base for all of my containers, Moving from GitLab CI to Drone CI and On burnout.
Valentine’s blog: Informative blog of which I still want to read the last two articles in the OpSec blog series.
linuxserver.io blog: A blog by the community that maintains “the largest collection of Docker images on the web” (their words).

Security

The Personal Infosec & Security Checklist: Actionable best practices to harden your security posture.
Personal security checkist: Tips for protecting your digital security and privacy.
A Defensive Computing Checklist: Another list of tips on how to make your digital life more safe.
Router Security: A site with the focus on the security of routers. From the same author as the previous link.
Aegis-icons: Unofficial set of icons for the Aegis Authenticator application.
Pentester’s Promiscuous Notebook: Notes by and for a pentester.

Homelab

BaptisteBdn/docker-selfhosted-apps: A GitHub repository with guides on how to run a bunch of applications via Docker.
Dockerholics Application List: Another list of applications you can host yourself using Docker containers.
Awesome-Selfhosted: Yet another (the?) list of applications you can run yourself.
Awesome Sysadmin: A list of Free and Open-Source sysadmin resources.
Watchtower: Automatically update your Docker containers if newer images are available.
Diun: If you do not like the idea of automatically updating your containers with Watchtower, you might want to look at this Docker Image Update Notifier application.
Drone: I’m already running a Gitea instance and a Docker Registry. Drone might be a nice third component to automatically build projects and e.g. create Docker images and push them to my internal registry.
Khue’s Homelab: Khue Doan has a project to provision, operate and update his homelab. As such it is a nice inspiration.
Grafana Loki: A log aggregation system that looks like a useful addition to my setup, since I’m already running Grafana to visualise some metrics.
Vector: This also looks like a interesting tool to collect logs.
Step Certificates: I am already using a private certificate authority to create certificates for the services in my homelab, but it would be nice to have a self hosted ACME server to do the tedious work. This tool might be what I need.

Entertainment

Elevator Saga: Fun game where you program an elevator/set of elevators to meet certain criteria.
Movie of the Night: While officially a movie/series recommendation engine I use this site regularly to check if I can stream a movie or series in my country and if so, on which service it is available.
OSMC: An interesting looking open source media center, which you can run on a Raspberry Pi or on their devices, like the Vero 4K+
The Lazarus Heist: From Hollywood to High Finance: Inside North Korea’s Global Cyber War: A book about the Lazarus Group, tipped in Darknet Diaries episode 119.
The Silver Ships Series: A book series by Scott Jucha, tipped in the Security Now podcast. (The series is mentioned in episode 887 for the first time.) I’ve finished the first book and loved reading it!
Open Circuits: A lovely book about electronic components with beautiful pictures.

Miscellaneous

Schrijf een persoonlijk manifest voor richting in je werk en leven (Dutch): I’m not sure I’ll ever write such a personal manifest, but just reading this article gave me enough food for thought to make some decisions.
How to Use File History in Windows 10: Useful article for people that want to backup and restore files on Windows machines.
Restic: I’m in the process of testing this backup tool to see if I want to switch over to restic from my current rsync based script to backup my Linux machines to an external disk. If I go that route, I’ll also have to have a look at restic-tools.
Creating Fully Reproducible, PDF/A Compliant Documents in LaTeX: When I was perparing my CV and a cover letter, I wanted the resulting PDF to be more accessible. This article gave me useful instructions on how to achieve that.
Using Neopixels with the Raspberry Pi: I’m toying with the idea of upgrading my home office with some LED strips. Perhaps I’ll use Neopixels and a Raspberry Pi (or similar board) to do this.
Things your manager might not know: An article about how you can help your manager (help you).