Differences

This shows you the differences between two versions of the page.

--- computer:ubuntu:restic-backup-docker-hermes [2024/01/22 08:55] – [Ubuntu braucht einen Service] spring
+++ computer:ubuntu:restic-backup-docker-hermes [2024/12/15 09:13] (current) – [Restic Backup im Netzwerk] spring
@@ Line 1: / Line 1: @@
 ====== Restic Backup im Netzwerk ======
-Übersicht über alle Backups: ''http://resticinfo.local''
+Übersicht über alle Backups: ''http://resticinfo.spring.private''
+Idee aus perplexity:
+To protect access to Traefik services from the internet using basic authentication while leaving intranet access unprotected, you can use a combination of Traefik's IPWhiteList middleware and BasicAuth middleware. Here's how to set it up:
+Configuration Steps
+    Create a BasicAuth middleware for external access:
+text
+<code>
+http:
+  middlewares:
+    basic-auth:
+      basicAuth:
+        users:
+          - "admin:$apr1$h9OxLeY20/5uiXjfPgdRxuFlrfqBf2QifYDgrwsR6rAEgX3/dpOGq"
+</code>
+    Create an IPWhiteList middleware for internal access:
+text
+<code>
+http:
+  middlewares:
+    internal-whitelist:
+      ipWhiteList:
+        sourceRange:
+          - "192.168.0.0/16"
+          - "10.0.0.0/8"
+          - "172.16.0.0/12"
+</code>
+    Set up a middleware chain combining both:
+text
+<code>
+http:
+  middlewares:
+    secure-chain:
+      chain:
+        middlewares:
+          - internal-whitelist
+          - basic-auth
+</code>
+    Apply the middleware chain to your router:
+text
+<code>
+http:
+  routers:
+    my-service:
+      rule: "Host(`example.com`)"
+      service: "my-service"
+      middlewares:
+        - secure-chain
+</code>
+This configuration will allow unrestricted access from the specified internal IP ranges while requiring basic authentication for external access2
+
+.
+Additional Considerations
+    Ensure you replace the example BasicAuth credentials with your own securely hashed passwords1
+
+    .
+    Adjust the IP ranges in the IPWhiteList middleware to match your internal network configuration4
+    .
+    For enhanced security, consider using more robust authentication methods like Authelia or Authentik for external access6
+    .
+By implementing this setup, you can effectively protect your Traefik services from unauthorized external access while maintaining convenient internal access within your network.
+can the name "basic-auth" in this example be modified or is it fixed?
+Sources
+Answer
+The name "basic-auth" in the example can be modified. It is not a fixed name, but rather a custom identifier for the middleware you're creating1
+
+. You can choose any name you prefer for your middleware, as long as it follows Traefik's naming conventions. For example, you could use names like "my-auth", "custom-basic-auth", or "secure-access"5
+
+. When defining a middleware, you typically use a structure like:
+<code>
+text
+http:
+  middlewares:
+    your-chosen-name:
+      basicAuth:
+        # configuration details
+</code>
+Just remember to reference the middleware using the name you've chosen when applying it to your routers or services2
+
+The general format for defining a router in Traefik labels is:
+text
+- "traefik.http.routers.<router-name>.rule=<your-rule>"
+Where <router-name> is a custom identifier you choose for your router, and <your-rule> is the routing rule you want to apply.
 ===== Restic Server auf hermes =====
@@ Line 7: / Line 102: @@
 hermes macht Pull-Backups von sich selbst und den Servern florapower und netcup mit hilfe des Scripts ''/usr/local/bin/run-restic.sh''
-===== Restic Backups von kudell und denkbrett =====
+===== Restic Backups von kudell und denkbrett via systemd =====
+( von https://fedoramagazine.org/automate-backups-with-restic-and-systemd/ )
+Systemd erlaubt das Starten von Services auch einmal/Tag.
+Achtung: Auf Ubuntu prüfen ob restic in /usr/bin oder /usr/local/bin liegt
+==== Service-Unitfile anlegen ====
+<code>sudo systemctl edit --force --full restic-backup.service</code>
+<file bash>
+# from https://fedoramagazine.org/automate-backups-with-restic-and-systemd/
+[Unit]
+Description=Restic backup service
+After=network-online.target
+Wants=network-online.service
+StartLimitIntervalSec=6000
+StartLimitBurst=30
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/restic backup --host $HOST --verbose --one-file-system --tag systemd.timer $BACKUP_EXCLUDES $BACKUP_PATHS
+EnvironmentFile=/root/restic-backup.conf
+Restart=on-failure
+RestartSec=60
+[Install]
+WantedBy=default.target
+</file>
+==== EnvironmentFile anlegen ====
+<file bash>
+HOME=/root
+HOST=denkbrett
+RESTIC_REPOSITORY=rest:https://<abc>:<def>@restic.<meine.domain>
+RESTIC_PASSWORD_FILE=/root/resticpw
+BACKUP_PATHS="/root /etc /home/springm /root /usr/local /var/spool/cron/crontabs"
+BACKUP_EXCLUDES="--exclude-file /root/restic-exclude.txt --exclude-if-present .exclude_from_backup"
+</file>
+==== Service starten/stoppen/enablen/prüfen ====
+  * Änderungen mitteilen mit ''systemctl daemon-reload''
+  * Starten mit ''systemctl start restic-backup.service'' (führt Backup durch)
+  * Als Dienst einrichten mit ''systemctl enable restic-backup.service''
+  * Dienst prüfen mit ''systemctl status restic-backup.service''
+==== Timer anlegen ====
+<code>sudo systemctl edit --force --full restic-backup.timer</code>
+<file bash>[Unit]
+Description=Backup with restic daily
+[Timer]
+OnCalendar=daily
+OnActiveSec=30
+Persistent=true
+[Install]
+WantedBy=timers.target
+</file>
+  * Enablen mit <code>systemctl enable --now restic-backup.timer</code>
+  * Status prüfen mit <code>systemctl status restic-backup.timer</code>
+===== Restic Backups von kudell und denkbrett - DEPRECATED - =====
 Das Backup sollte im Prinzip täglich von hermes getriggert als Pull-Backup laufen, allerdings sind diese Rechner nicht immer zur festgesetzten Backup-Zeit eingeschaltet.
 Die Alternative ist ein Push-Backup, das vom Client getriggert entweder nach dem Booten oder nach dem Aufwachen aus dem Suspend/Hibernate stattfindet.
@@ Line 58: / Line 211: @@
 ==== Ubuntu braucht einen Service ====
-  sudo systemctl edit --force --full restic_run_when_networkup.service
+  sudo systemctl edit --force --full restic_run_when_network_up.service
 <file>
 [Unit]
@@ Line 74: / Line 227: @@
 WantedBy=multi-user.target
 </file>
-  sudo systemctl enable restic_run_when_networkup.service
+  sudo systemctl enable restic_run_when_network_up.service
-  sudo systemctl start restic_run_when_networkup.service
+  sudo systemctl start restic_run_when_network_up.service
@@ Line 247: / Line 400: @@
         - "traefik.enable=true"
         - "traefik.docker.network=proxy"
-        - "traefik.http.routers.restic-rest.rule=Host(`restic.hermes.markus-spring.info`)"
+        - "traefik.http.routers.restic-rest.rule=Host(`restic.meine.domain`)"
         - "traefik.http.routers.restic-rest.entrypoints=https"
         - "traefik.http.routers.restic-rest.tls=true"
@@ Line 260: / Line 413: @@
 Test auf dem netcup-Server
-  export RESTIC_REPOSITORY="rest:https://user:passwort@restic.hermes.markus-spring.info"
+  export RESTIC_REPOSITORY="rest:https://user:passwort@restic.meine.domain"
   restic -v snapshots
   restic -v --exclude-file=/root/restic-exclude.txt backup /home/springm