My restic backup solution using Backblaze B2 storage, systemd timers (or cron) and email notifications on failure.
formerly named restic-systemd-automatic-backup
restic is a command-line tool for making backups, the right way. Check the official website for a feature explanation. As a storage backend, I recommend Backblaze B2 as restic works well with it, and it is (at the time of writing) very affordable for the hobbyist hacker! (anecdotal: I pay for my full-systems backups each month typically < 1 USD).
Unfortunately restic does not come pre-configured with a way to run automated backups, say every day. However, it’s possible to set this up yourself using built-in tools in your OS and some wrappers. For Linux with systemd, it’s convenient to use systemd timers. For macOS systems, we can use built-in LaunchAgents. For Windows we can use ScheduledTasks. Any OS having something cron-like will also work!
Here follows a step-by step tutorial on how to set it up, with my sample script and configurations that you can modify to suit your needs.
Note, you can use any restic’s supported storage backends. The setup should be similar, but you will have to use other configuration variables to match your backend of choice.
[!NOTE]
Update: this project is feature complete (see reasoning below). Only bug fixes will be accepted. Feel free to fork if you want to add more features; being a forking base was the initial scope of this project!
The scope for this is not to be a full-fledged super solution that solves all the problems and all possible setups. The aim is to be a hackable code base for you to start sewing up the perfect backup solution that fits your requirements!
Nevertheless, the project should work out of the box, be minimal but still open the doors for configuration and extensions by users.
To use a different storage backend than B2, you should only need to tweak a few settings variables in the backup profile as well as some restic arguments inside restic_backup.sh.
[!TIP]
Navigate this document easily from the Section icon in the top left corner.[!NOTE]
In the command listing in this document,$means a user shell and#means a root shell (or usesudo).
restic >=v0.9.6bash >=v4.0.0make if you want an automated installbase-devel meta package, Debian/Ubuntu: part of the build-essential meta package, macOS: use the pre-installed or a more recent with HomebrewDepending on your system, the setup will look different. Choose one of:
@v6/icons/linux.svg" />
[!NOTE]
The Linux setup here will assume an installation to/.
Many Linux distributions nowadays use Systemd, which features good support for running services and scheduled jobs. If your distribution is no on Systemd, check out the cron setup instead.
TL;DR setup
/etc/restic.restic(1). All commands after this assumes the profile is sourced in the current shell.
# source /etc/restic/default.env.sh# restic init
OnCalendar in /usr/lib/systemd/system/restic-backup@.timer.
# systemctl enable --now restic-backup@default.timer
# journalctl -f --lines=50 -u restic-backup@default
# restic snapshots
# systemctl enable --now restic-check@default.timer`
default.env.sh and use the defined profile name in place of default to run backups or enable timers. Notice that the value after @ works as a parameter.
# systemctl enable restic-backup@other_profile.timer
@v6/icons/apple.svg" />
[!NOTE]
The macOS setup here will assume a Homebrew installation to the recommended default location. This is$HOMEBREW_PREFIX(brew --prefix) , which is/usr/localon Intel Macs and/opt/homebrewon Apple Silicon.
Launchd is the modern built-in service scheduler in macOS. It has support for running services as root (Daemon) or as a normal user (Agent). Here we set up a LaunchAgent to be run as your normal user for starting regular backups.
TL;DR setup
$ brew install erikw/tap/restic-automatic-backup-scheduler
make:
$ make PREFIX=$(brew --prefix) install-launchagent
$(brew --prefix)/etc/restic.restic(1). All commands after this assumes the profile is sourced in the current shell.
$ source $(brew --prefix)/etc/restic/default.env.sh$ restic init
OnCalendar in~/Library/LaunchAgents/homebrew.mxcl.restic-automatic-backup-scheduler.plist.$ brew services start [...] command in the next step. Run that command and come back here.make install: ~/Library/LaunchAgents/com.github.erikw.restic-backup.plist.
$ brew services start restic-automatic-backup-scheduler
make install:As a convenience, a shortcut for the above commands are
$ launchctl bootstrap gui/$UID ~/Library/LaunchAgents/com.github.erikw.restic-backup.plist$ launchctl enable gui/$UID/com.github.erikw.restic-backup$ launchctl kickstart -p gui/$UID/com.github.erikw.restic-backup
$ make activate-launchagent-backup.
$ tail -f ~/Library/Logs/restic/backup*
$ restic snapshots
$ brew services start restic-automatic-backup-scheduler-check
make install:As a convenience, a shortcut for the above commands are
$ launchctl bootstrap gui/$UID ~/Library/LaunchAgents/com.github.erikw.restic-check.plist$ launchctl enable gui/$UID/com.github.erikw.restic-check$ launchctl kickstart -p gui/$UID/com.github.erikw.restic-check
$ make activate-launchagent-check.Then control the service with homebrew:
$ brew services start restic-automatic-backup-scheduler$ brew services restart restic-automatic-backup-scheduler$ brew services stop restic-automatic-backup-scheduler
If services start fails, it might be due to previous version installed. In that case remove the existing version and try again:
$ launchctl bootout gui/$UID/com.github.erikw.restic-backup$ brew services start restic-automatic-backup-scheduler
Use the disable command to temporarily pause the agent, or bootout to uninstall it.
$ launchctl disable gui/$UID/com.github.erikw.restic-backup$ launchctl bootout gui/$UID/com.github.erikw.restic-backup
If you updated the .plist file, you need to issue the bootout followed by bootrstrap and enable sub-commands of launchctl. This will guarantee that the file is properly reloaded.
@v6/icons/windows.svg" />
Windows comes with a built-in task scheduler called ScheduledTask. The frontend app is “Task Scheduler” (taskschd.msc) and we can use PowerShell commands to install a new scheduled task.
I describe here one of may ways you can get restic and this backup script working on Windows. Here I chose to work with scoop and git-bash.
TL;DR setup
pwsh should be installed to be able to run powershell in shebang scripts.
powershell> scoop install restic make git pwsh
powershell> git-bashgit-bash$ mkdir ~/src && cd ~/src/git-bash$ git clone https://github.com/erikw/restic-automatic-backup-scheduler.git && cd $(basename "$_" .git)
git-bash$ make install-schedtask
/etc/restic.Note that you should use cygwin/git-bash paths. E.g. in
git-bash$ vim /etc/restic/*
default.env.sh you could have
export RESTIC_BACKUP_PATHS='/c/Users/<username>/My Documents'
restic(1). All commands after this assumes the profile is sourced in the current shell.
git-bash$ source /etc/restic/default.env.shgit-bash$ restic init
git-bash$ restic_backup.sh
git-bash$ restic snapshots
taskschd.msc)restic_backup and click “run”.make install-schedtask: just close and start it again to refresh.restic_backup.sh, and the next time the configured schedule hits!With taskschd.msc you can easily start, stop, delete and configure the scheduled tasks to your liking:
@v6/icons/clockify.svg" />
[!NOTE]
There are many different cron implementations out there and they all work slightly different.
Any system that has a cron-like system can easily setup restic backups as well. However if you system supports any of the previous setups, those are recommended over cron as they provide more features and reliability for your backups.
TL;DR setup
$ sudo make install-cron
/etc/cron.d/. If that is not the case, simply copy the relevant contents of the installed /etc/cron.d/restic in to your /etc/crontab.
# grep "^@.*restic_" /etc/cron.d/restic >> /etc/crontab
/etc/restic.restic(1). All commands after this assumes the profile is sourced in the current shell.
# source /etc/restic/default.env.sh# restic init
# restic_backup.sh
# restic snapshots
/etc/cron.d/restic (or /etc/crontab).
This is a more detailed explanation than the TL;DR sections above that will give you more understanding in the setup. This section is more general, but uses Linux + Systemd as the example setup.
$ git clone https://github.com/erikw/restic-automatic-backup-scheduler.git && cd $(basename "$_" .git)`
Make a quick search-and-replace in the source files:
$ find bin etc usr Library ScheduledTask -type f -exec sed -i.bak -e 's|{{ INSTALL_PREFIX }}||g' {} \; -exec rm {}.bak \;
and you should now see that all files have been changed like e.g.
-export RESTIC_PASSWORD_FILE="{{ INSTALL_PREFIX }}/etc/restic/pw.txt"+export RESTIC_PASSWORD_FILE="/etc/restic/pw.txt"
Why? The OS specific TL;DR setups above all use the Makefile or a package manager to install these files. The placeholder string {{ INSTALL_PREFIX }} is in the source files for portability reasons, so that the Makefile can support all different operating systems. make users can set a different $PREFIX when installing like PREFIX=/usr/local make install-systemd.
In this detailed manual setup we will copy all files manually to /etcand /bin. Thus, we need to remove the placeholder string {{ INSTALL_PREFIX }} in the source files as a first step.
In short:
First, see this official Backblaze tutorial on restic, and follow the instructions (“Create Backblaze account with B2 enabled”) there on how to create a new B2 bucket. In general, you’d want a private bucket, without B2 encryption (restic does the encryption client side for us) and without the object lock feature.
For restic to be able to connect to your bucket, you want to in the B2 settings create a pair of keyID and applicationKey. It’s a good idea to create a separate pair of ID and Key with for each bucket that you will use, with limited read&write access to only that bucket.
Put these files in /etc/restic/:
_global.env.sh: Fill this file out with your global settings including B2 keyID & applicationKey.default.env.sh: This is the default profile. Fill this out with bucket name, backup paths and retention policy. This file sources _global.env.sh and is thus self-contained and can be sourced in the shell when you want to issue some manual restic commands. For example:
$ source /etc/restic/default.env.sh$ restic snapshots # You don't have to supply all parameters like --repo, as they are now in your environment!`
pw.txt: This file should contain the restic password (single line) used to encrypt the repository. This is a new password what soon will be used when initializing the new repository. It should be unique to this restic backup repository and is needed for restoring from it. Don’t re-use your B2 login password, this should be different. For example you can generate a 128 character password (must all be on one line) with:
$ openssl rand -base64 128 | tr -d '\n' > /etc/restic/pw.txt
backup_exclude.txt: List of file patterns to ignore. This will trim down your backup size and the speed of the backup a lot when done properly!Now we must initialize the repository on the remote end:
$ sudo -i# source /etc/restic/default.env.sh# restic init
Put this file in /bin:
restic_backup.sh: A script that defines how to run the backup. The intention is that you should not need to edit this script yourself, but be able to control everything from the *.env.sh profiles.Restic support exclude files. They list file pattern paths to exclude from you backups, files that just occupy storage space, backup-time, network and money. restic_backup.sh allows for a few different exclude files.
/etc/restic/backup_exclude.txt - global exclude list. You can use only this one if your setup is easy. This is set in _global.env.sh. If you need a different file for another profile, you can override the envvar RESTIC_BACKUP_EXCLUDE_FILE in this profile..backup_exclude.txt per backup path. If you have e.g. an USB disk mounted at /mnt/media and this path is included in the $RESTIC_BACKUP_PATHS, you can place a file /mnt/media/.backup_exclude.txt and it will automatically picked up. The nice thing about this is that the backup paths are self-contained in terms of what they shoud exclude!Now see if the backup itself works, by running as root
# source /etc/restic/default.env.sh# /bin/restic_backup.sh`
As the default.env.sh is already sourced in your root shell, you can now just list the snapshost
# restic snapshots
Alternatively you can mount the restic snapshots to a directory set /mnt/restic
# restic mount /mnt/restic# ls /mnt/restic
All OS setups differs in what task scheduler they use. As a demonstration, let’s look at how we can do this with systemd under Linux here.
Put these files in /etc/systemd/system (note that the Makefile installs as package to /usr/lib/systemd/system)
restic-backup@.service: A service that calls the backup script with the specified profile. The profile is specified@ when running it (see below).restic-backup@.timer: A timer that starts the former backup every day (same thing about profile here).OnCalendar key in the file.Now simply enable the timer with:
# systemctl enable --now restic-backup@default.timer`
You can see when your next backup is scheduled to run with
# systemctl list-timers | grep restic
and see the status of a currently running backup with:
# systemctl status restic-backup
or start a backup manually:
$ systemctl start restic-backup@default
You can follow the backup stdout output live as backup is running with:
$ journalctl -f -u restic-backup@default.service`
(skip -f to see all backups that has run)
Once in a while it can be good to do a health check of the remote repository, to make sure it’s not getting corrupt. This can be done with $ restic check.
There is companion scripts, service and timer (*check*) to restic-backup.sh that checks the restic backup for errors; look in the repo in usr/lib/systemd/system/ and bin/ and copy what you need over to their corresponding locations.
# systemctl enable --now restic-check@default.timer`
To have different backup jobs having e.g. different buckets, backup path of schedule, just make a copy of the default.env.sh and use the defined profile name in place of default in the previous steps.
To create a different backup and use you can do:
# cp /etc/restic/default.env.sh /etc/restic/other.env.sh# vim /etc/restic/other.env.sh # Set backup path, bucket etc.# source /etc/restic/other.env.sh# restic_backup.sh
When enabled, it will write to a CSV log file the stats after each backup. Can be enabled by uncommenting its env variable (RESTIC_BACKUP_STATS_DIR) on the global environment file or defining it on a specific profile.
The stats log (as well as) the desktop notifications incur in an additional run of restic snapshots and restic diff. This execution is shared with the notifications (no extra run).
It’s a good idea to be on top of your backups to make sure that they don’t increase a lot in size and incur high costs. However, it’s notoriously tricky to make GUI notifications correctly from a non-user process (e.g. root).
Therefore, this project provides a lightweight solution for desktop notifications that works like this: Basically restic_backup.sh will append a summary line of the last backup to a user-owned file (the user running your OS’s desktop environment) in a fire-and-forget fashion. Then the user has a process that reads this and forward each line as a new message to the desktop environment in use.
To set desktop notifications up:
$ mkfifo /home/user/.cache/notification-queue
/etc/restic/default.sh, set:
RESTIC_BACKUP_NOTIFICATION_FILE=/home/user/.cache/notification-queue
We want to be aware when the automatic backup fails, so we can fix it. Since my laptop does not run a mail server, I went for a solution to set up my laptop to be able to send emails with postfix via my Gmail. Follow the instructions over there.
Put this file in /bin:
systemd-email: Sends email using sendmail(1). This script also features time-out for not spamming Gmail servers and getting my account blocked.Put this file in /etc/systemd/system/:
status-email-user@.service: A service that can notify you via email when a systemd service fails. Edit the target email address in this file, and replace or remove {{ INSTALL_PREFIX }} according to your installation.Now edit /usr/lib/systemd/system/restic-backup@.service and /usr/lib/systemd/system/restic-check@.service to call this service failure.
OnFailure=status-email-user@%n.service
Use bin/cron_mail: A wrapper for running cron jobs, that sends output of the job as an email using the mail(1) command. This assumes that the mail program is correctly setup on the system to send emails.
To use this, wrap the restic script command with it in your cron file like:
-@midnight root . /etc/restic/default.sh && restic_backup.sh+@midnight root . /etc/restic/default.sh && cron_mail restic_backup.sh
For a laptop, it can make sense to not do heavy backups when your on a metered connection like a shared connection from you mobile phone. To solve this we can set up a systemd service that is in success state only when a connection is unmetered. Then we can tell our backup service to depend on this service simply! When the unmetered service detects an unmetered connection it will go to failed state. Then our backup service will not run as it requires this other service to be in success state.
restic-backup@.service and restic-check@.service to require the new service to be in success state:
Requires=nm-unmetered-connection.serviceAfter=nm-unmetered-connection.service
/etc/systemd/system/:nm-unmetered-connection.service: A service that is in success state only if the connection is unmetered./bin:nm-unmetered-connection.sh: Detects metered connections and returns an error code if one is detected. This scripts requires the Gnome NetworkManager to be installed (modify this script if your system has a different network manager).
# systemctl daemon-reload
[!TIP]
All steps but the first can be done in one go if you use the Makefile. Set$PREFIXas needed or leave empty for install to/.
sudo bash -c 'export PREFIX=make build/usr/lib/systemd/system/nm-unmetered-connection.serviceinstall -m 0644 build/usr/lib/systemd/system/nm-unmetered-connection.service $PREFIX/etc/systemd/systeminstall -m 0555 bin/nm-unmetered-connection.sh /binsystemctl daemon-reload'
For convenience there’s a restic wrapper script that makes loading profiles and running restic
straightforward (it needs to run with sudo to read environment). Just run:
sudo resticw WHATEVER (e.g. sudo resticw snapshots) to use the default profile.resticw -p anotherprofile snapshots.restic like --diff-latest option.Useful commands:
| Command | Description |
|—————————————————————————-|———————————————————————————————————————————-|
| resticw snapshots | List backup snapshots |
| resticw diff <snapshotId-1> <snapshotId-2> | Show the changes between backup snapshots |
| resticw stats / resticw stats snapshotId ... | Show the statistics for the whole repo or the specified snapshots |
| resticw mount /mnt/restic | Mount your remote repository |
| resticw --diff-latest | Show latest snapshot changes: Runs restic diff after finding the latest 2 snapshots |
There is a make target to remove all files (scripts and configs) that were installed by sudo make install-*. Just run:
$ sudo make uninstall
The best way to debug what’s going on is to run the restic_backup.sh script with bash’s trace function. You can activate it by running the script with bash -x:
$ source /etc/restic/default.env.sh$ bash -x /bin/restic_backup.sh
To debug smaller portions of the backup script, insert these lines at the top and bottom of the relevant code portions e.g.:
set -xexec 2>/tmp/restic-automatic-backup-scheduler.log<code to debug>set +x
and then inspect the outputs like
$ less /tmp/restic-automatic-backup-scheduler.log$ tail -f /tmp/restic-automatic-backup-scheduler.log # or follow output like this.
Makefile simply install to a $PREFIX like
$ PREFIX=/tmp/restic-test make install-systemd
resticw parser: If you ever update the usage DOC, you will need to refresh the auto-generated parser:
$ pip install doctopt.sh$ doctopt.sh usr/local/bin/resticw
vi CHANGELOG.mdsemver up minorver=$(semver get release)git commit -am "Bump version to $ver" && git tag $ver && git push --atomic origin main $ver