Differences

This shows you the differences between two versions of the page.

--- computer:ubuntu:restic-backup-docker-hermes [2024/02/27 18:22] – [Service-Unitfile anlegen] spring
+++ computer:ubuntu:restic-backup-docker-hermes [2024/12/15 09:13] (current) – [Restic Backup im Netzwerk] spring
@@ Line 1: / Line 1: @@
 ====== Restic Backup im Netzwerk ======
-Übersicht über alle Backups: ''http://resticinfo.local''
+Übersicht über alle Backups: ''http://resticinfo.spring.private''
+Idee aus perplexity:
+To protect access to Traefik services from the internet using basic authentication while leaving intranet access unprotected, you can use a combination of Traefik's IPWhiteList middleware and BasicAuth middleware. Here's how to set it up:
+Configuration Steps
+    Create a BasicAuth middleware for external access:
+text
+<code>
+http:
+  middlewares:
+    basic-auth:
+      basicAuth:
+        users:
+          - "admin:$apr1$h9OxLeY20/5uiXjfPgdRxuFlrfqBf2QifYDgrwsR6rAEgX3/dpOGq"
+</code>
+    Create an IPWhiteList middleware for internal access:
+text
+<code>
+http:
+  middlewares:
+    internal-whitelist:
+      ipWhiteList:
+        sourceRange:
+          - "192.168.0.0/16"
+          - "10.0.0.0/8"
+          - "172.16.0.0/12"
+</code>
+    Set up a middleware chain combining both:
+text
+<code>
+http:
+  middlewares:
+    secure-chain:
+      chain:
+        middlewares:
+          - internal-whitelist
+          - basic-auth
+</code>
+    Apply the middleware chain to your router:
+text
+<code>
+http:
+  routers:
+    my-service:
+      rule: "Host(`example.com`)"
+      service: "my-service"
+      middlewares:
+        - secure-chain
+</code>
+This configuration will allow unrestricted access from the specified internal IP ranges while requiring basic authentication for external access2
+
+.
+Additional Considerations
+    Ensure you replace the example BasicAuth credentials with your own securely hashed passwords1
+
+    .
+    Adjust the IP ranges in the IPWhiteList middleware to match your internal network configuration4
+    .
+    For enhanced security, consider using more robust authentication methods like Authelia or Authentik for external access6
+    .
+By implementing this setup, you can effectively protect your Traefik services from unauthorized external access while maintaining convenient internal access within your network.
+can the name "basic-auth" in this example be modified or is it fixed?
+Sources
+Answer
+The name "basic-auth" in the example can be modified. It is not a fixed name, but rather a custom identifier for the middleware you're creating1
+
+. You can choose any name you prefer for your middleware, as long as it follows Traefik's naming conventions. For example, you could use names like "my-auth", "custom-basic-auth", or "secure-access"5
+
+. When defining a middleware, you typically use a structure like:
+<code>
+text
+http:
+  middlewares:
+    your-chosen-name:
+      basicAuth:
+        # configuration details
+</code>
+Just remember to reference the middleware using the name you've chosen when applying it to your routers or services2
+
+The general format for defining a router in Traefik labels is:
+text
+- "traefik.http.routers.<router-name>.rule=<your-rule>"
+Where <router-name> is a custom identifier you choose for your router, and <your-rule> is the routing rule you want to apply.
 ===== Restic Server auf hermes =====
@@ Line 10: / Line 105: @@
 ( von https://fedoramagazine.org/automate-backups-with-restic-and-systemd/ )
 Systemd erlaubt das Starten von Services auch einmal/Tag.
+Achtung: Auf Ubuntu prüfen ob restic in /usr/bin oder /usr/local/bin liegt
 ==== Service-Unitfile anlegen ====
-sudo systemctl edit --force --full restic.service
+<code>sudo systemctl edit --force --full restic-backup.service</code>
 <file bash>
 # from https://fedoramagazine.org/automate-backups-with-restic-and-systemd/
 [Unit]
 Description=Restic backup service
+After=network-online.target
+Wants=network-online.service
+StartLimitIntervalSec=6000
+StartLimitBurst=30
 [Service]
@@ Line 21: / Line 122: @@
 ExecStart=/usr/bin/restic backup --host $HOST --verbose --one-file-system --tag systemd.timer $BACKUP_EXCLUDES $BACKUP_PATHS
 EnvironmentFile=/root/restic-backup.conf
+Restart=on-failure
+RestartSec=60
 [Install]
-WantedBy=multi-user.target
+WantedBy=default.target
-WantedBy=network-online.target
 </file>
@@ Line 39: / Line 141: @@
 ==== Service starten/stoppen/enablen/prüfen ====
   * Änderungen mitteilen mit ''systemctl daemon-reload''
-  * Starten mit ''systemctl start restic.service''
+  * Starten mit ''systemctl start restic-backup.service'' (führt Backup durch)
-  * Als Dienst einrichten mit ''systemctl enable restic.service''
+  * Als Dienst einrichten mit ''systemctl enable restic-backup.service''
-  * Dienst prüfen mit ''systemctl status restic.service''
+  * Dienst prüfen mit ''systemctl status restic-backup.service''
+==== Timer anlegen ====
+<code>sudo systemctl edit --force --full restic-backup.timer</code>
+<file bash>[Unit]
+Description=Backup with restic daily
+[Timer]
+OnCalendar=daily
+OnActiveSec=30
+Persistent=true
+[Install]
+WantedBy=timers.target
+</file>
+  * Enablen mit <code>systemctl enable --now restic-backup.timer</code>
+  * Status prüfen mit <code>systemctl status restic-backup.timer</code>
 ===== Restic Backups von kudell und denkbrett - DEPRECATED - =====
@@ Line 282: / Line 400: @@
         - "traefik.enable=true"
         - "traefik.docker.network=proxy"
-        - "traefik.http.routers.restic-rest.rule=Host(`restic.hermes.markus-spring.info`)"
+        - "traefik.http.routers.restic-rest.rule=Host(`restic.meine.domain`)"
         - "traefik.http.routers.restic-rest.entrypoints=https"
         - "traefik.http.routers.restic-rest.tls=true"
@@ Line 295: / Line 413: @@
 Test auf dem netcup-Server
-  export RESTIC_REPOSITORY="rest:https://user:passwort@restic.hermes.markus-spring.info"
+  export RESTIC_REPOSITORY="rest:https://user:passwort@restic.meine.domain"
   restic -v snapshots
   restic -v --exclude-file=/root/restic-exclude.txt backup /home/springm