Using Restic with Synology
I have recently set up a Restic backup with my Synology, and it required some jumping between difference sources and searches, so I decided to write up this quick guide, in case it's helpful for anyone else (or future me).
Enable SSH and SFTP
On your Synology DSM, open the Control Panel and navigate to Terminal & SNMP, then check Enable SSH service. Go to File Services, and under FTP check the Enable SFTP Service (not FTP or FTPS). I've left the ports as the default.
Create an SSH key
If you want to enable automatic backups, you'll need to set up a passwordless login. Since these are asymmetric, I'm personally comfortable re-using the public key I created for GitHub, which has a guide for creating a key. If you want to be extra secure, you can also generate a key specifically for your NAS. Regardless of which you choose, you should end up with a .pub file in your ~/.ssh/ folder, which we'll use to allow passwordless login on the NAS.
Create the remote folder and user
In your DSM Control Panel, go to Shared Folder, then create a new shared folder. I've named mine backup. Staying in the Control Panel, go to User & Group, and create a new user, which will locked down to only allow access via SFTP to the backup folder. Under this user's Permissions, leave everything unchecked except for Read/Write of the backup folder you created. Under Applications, Deny all, except for SFTP.
Still in the User & Group section of the Control Panel, click on Advanced, and at the bottom check the Enable User Home Service checkbox. This will create home folders for users, which we'll use for the SSH key.
Upload the key
In your DSM's File Station, navigate to homes/backup, then create a new folder named .ssh. Open this folder up, and upload your public (.pub) key.
Now SSH into your NAS, either with an admin account or your backup user. Navigate to your backup user's home folder, and run the following commands:
cat .ssh/keyname.pub >> authorized_keyschmod 700 .ssh/chmod 600 .ssh/authorized_keyschown -R backup:users .ssh/
This copies the content of your public keys to the authorized_keys file, then sets up the required permissions and ownership for the folder and file.
You could probably also use scp to copy the file over and not have to run the file ownership commands.
Change the backup user's shell
When I created my backup user, it didn't have a shell associated with it, which made an SSH connection immediately terminate despite successfully authenticating. While you're still in the SSH connection, run cat /etc/passwd | grep backup. If you see something like /sbin/nologin at the end, you'll need to update this.
Run sudo vim /etc/passwd, and on the backup user's line, change /sbin/nologin to /bin/sh.
Run the Restic init
When you run the restic -r sftp:backup@nas-ip:/location init command, one small 'gotcha' is that SFTP starts at a different root from SSH. So while if you SSH in and see your volume and its shared folders as something like /volume1/backup in SSH, SFTP will connect and put you in the /volume1/ folder already. This means that you can just directly specify the shared folder name in the Restic init command, something like restic -r sftp:backup@nas-ip:/backup.
Troubleshooting SSH connection
There are two good ways to debug the SSH connection:
- Log on the client side: run the SSH command in verbose mode with
ssh -vvv .... - Run the server-side SSHD in debug mode: within the SSH connection, run
sudo /bin/sshd -d -p 1234, then in a new terminal, connect to your NAS, but specify port 1234. Now your first terminal should print out what's going on when you connect.