← Back to context

Comment by rsync

1 day ago

You can achieve append-only without exposing a rest server provided that 'rclone' can be called on the remote end:

  rclone serve restic --stdio

You add something like this to ~/.ssh/authorized_keys:

  restrict,command="rclone serve restic --stdio --append-only backups/my-restic-repo" ssh-rsa ...

... and then run a command like this:

  ssh user@rsync.net rclone serve restic --stdio ...

We just started deploying this on rsync.net servers - which is to say, we maintain an arguments allowlist for every binary you can execute here and we never allowed 'rclone serve' ... but now we do, IFF it is accompanied by --stdio.

1 comment

rsync

Reply
zacwest  17 hours ago

You then use `restic` telling it to use rclone like...

    restic ... --option=rclone.program="ssh -i <identity> user@host" --repo=rclone:

which has it use the rclone backend over ssh.

I've been doing this on rsync.net since at least February; works great!