restic / caddy

A plugin for the Caddy web server to act as a backend for restic
BSD 2-Clause "Simplified" License
30 stars 6 forks source link

Caddy restic plugin

This plugin makes it easy to run a restic backup server! This plugin uses restic/rest-server to make your backup repositories reachable over HTTPS.

Using restic's "rest" backend instead of the "sftp" backend is likely to provide faster transfer speeds because it avoids a lot of SFTP's flow control problems, where transfers slow down more than necessary.

The advantage of using this plugin over the bare restic/rest-server command is that Caddy provides HTTPS by managing TLS certificates for you, so you always get a secure access point for your repositories and you don't have to reload the server to renew certificates.

Configuration

The native configuration approach for caddy has changed from caddyfile to json. Even though the caddyfile is still supported the preferred configuration approach is json based. Hence, just the json based configuration is documented here.

The restic plugin is implemented as middleware handler and can be plugged into the middleware pipeline of caddy via configuration. A simple sample configuration is shown below by adding the restic handler to the pipeline:

{
  "apps": {
    "http": {
      "servers": {
        "restic": {
          "routes": [{
            "handle": [{
              "handler": "restic",
              "repository_path": "path to the repository"
            }]
          }]
        }
      }
    }
  }
}

All significant parameters defined by the restic/rest-server are available for this plugin too. The following parameters can be defined:

Authentication

It is highly recommended to require authentication to access the repository. Otherwise anyone could access your backups. (Yes, restic backups are encrypted, but people could still delete them, etc.). Furthermore, since basic authentication is used all communication must be encrypted to protect the credentials sent to the server. Caddy uses HTTPS by default, and it is not safe to use this plugin without HTTPS (TLS). Do not disable TLS.

Generally, there are two options to configure authentication:

Access the repository

Once your server is running, you can access your backups via HTTPS with restic quite easily:

$ restic --repo "rest:https://user:pass@example.com/repo_name" snapshots