Access backups using file share

Feature
,
1

Hello,

Running a NS8 core 3.15 instance, which has samba module backed up to Local Storage.

The file restore functionality was not able to match files/folders using cyrillic filenames and i wanted to provide an easy user experience to file restore by using a samba share.

I have added a couple of systemd unit files to have the restic samba repository mounted, which is then added as an additional volume to the samba container and shared over samba. I have described the setup in case it is interesting for someone else.

Overiew

All backups will be accessible on \\<servername>\Backup$\shares_backup\<timestamp> read-only file share.

The backup share will automatically refresh available timestamps every morning.

Only the domain\administrator account can access this share by default because of the sensitive contents. Can be customized so designated users access the backup share.

NB. The samba-dc volume mount must be re-applied after every Nethserver module update.

Setup

  1. Install restic and systemd unit files on host
  • dnf install restic
  • update RESTIC_REPOSITORY and RESTIC_PASSWORD environment variables.
  • update samba module system user samba1 if required.
  1. Setup samba-dc container volume mount.
  • enter samba module: runagent -m samba1
  • stop samba-dc: systemctl --user stop samba-dc
  • insert a line in /home/samba1/.config/systemd/user/samba-dc.service for the additional volume:
[samba1@ns8 state\]$ diff -uw samba-dc.service.orig /home/samba1/.config/systemd/user/samba-dc.service
--- samba-dc.service.orig       2026-02-24 13:57:51.214308429 +0200
+++ /home/samba1/.config/systemd/user/samba-dc.service  2026-02-24 09:10:20.590079803 +0000
@@ -41,6 +41,7 @@
     --volume=config:/etc/samba:z \
     --volume=shares:/srv/shares \
     --volume=homes:/srv/homes \
+    -v /mnt/restic_mount:/srv/restic_mount:ro,rshared \
     --init \
     ${SAMBA_DC_IMAGE}
  • start samba-dc:
systemctl --user daemon-reload
systemctl --user start samba-dc
exit
  1. Enter samba-dc container and create a share:
runagent -m samba1 podman exec -it samba-dc /bin/bash
mkdir /srv/shares/Backup$ # dummy directory to prevent samba module backup from failing 
net conf addshare Backup$ /srv/restic_mount
net conf setparm Backup$ 'read only' yes
  1. Share customization (optional)
  • Set hidden flag of the directory containing the restic repository since it is not meant to be used directly by the user.
net conf setparm 'Backup$' 'hide files' /_sambarepo/
  • Block access to samba-backup.tar.bz2 to prevent accidental leak of windows domain database.
net conf setparm 'Backup$' 'veto files' '/samba-backup.tar.bz2/'
  • Allow access to other domain users besides administrator (example for user testuser)
net conf setparm 'Backup$' 'force user' root
net conf setparm 'Backup$' 'valid users' 'administrator, testuser'

systemd units

  1. systemd main service /etc/systemd/system/restic-mount.service
[Unit]
Description=Restic Mount Backup Service
After=network.target
Wants=network-online.target

[Service]
Type=simple
User=root
Group=root
Environment="RESTIC_REPOSITORY=/var/lib/containers/storage/volumes/backup00/_data/samba/<uuid>"
Environment="RESTIC_PASSWORD=<secret>"

# -------- PRE STEPS --------
ExecStartPre=/usr/bin/mkdir -p /mnt/restic_mount/_sambarepo /mnt/restic_mount/shares_backup
ExecStartPre=/usr/bin/chown samba1:samba1 /mnt/restic_mount
ExecStartPre=/usr/bin/chmod 700 /mnt/restic_mount
ExecStartPre=/usr/bin/find /mnt/restic_mount/shares_backup -type l -delete
ExecStartPre=/usr/bin/chcon -R system_u:object_r:container_file_t:s0 /mnt/restic_mount

# -------- MAIN PROCESS --------
ExecStart=/usr/bin/restic mount \
    --time-template "2006-01-02T1504" \
    --path-template "snapshots/%%T" \
    --no-default-permissions \
    --no-lock \
    --allow-other \
    /mnt/restic_mount/_sambarepo

# -------- POST STEPS --------
ExecStartPost=/usr/bin/sh -c '\
while [ ! -d /mnt/restic_mount/_sambarepo/snapshots ]; do sleep 1; done'

ExecStartPost=/usr/bin/sh -c '\
for dir in /mnt/restic_mount/_sambarepo/snapshots/*; do \
    [ ! -d "$dir" ] && continue; \
    [ "$(basename "$dir")" = "latest" ] && continue; \
    ln -srf "$dir/volumes/shares" "/mnt/restic_mount/shares_backup/$(basename "$dir")"; \
done'


# Graceful stop
ExecStop=runagent -m samba1 podman exec -t samba-dc smbcontrol smbd close-share Backup$
KillMode=process
KillSignal=SIGINT
TimeoutStopSec=30
Restart=on-failure

[Install]
WantedBy=multi-user.target
  1. systemd restart helper /etc/systemd/system/restic-mount-restart.service
[Unit]
Description=Restart Restic Mount

[Service]
Type=oneshot
ExecStart=/bin/systemctl restart restic-mount.service
  1. systemd timer /etc/systemd/system/restic-mount-restart.timer
[Unit]
Description=Restart Restic Mount daily at 07:00

[Timer]
OnCalendar=*-*-* 07:00:00
Persistent=true

[Install]
WantedBy=timers.target
  1. Enable systemd units
systemctl daemon-reload
systemctl enable --now restic-mount.service
systemctl enable --now restic-mount-restart.timer
  1. Check status and verify:
  • systemd sucessful start: systemctl status restic-mount.service and systemctl status restic-mount-restart.timer
  • restic repository visible in samba container: runagent -m samba1 podman exec samba-dc ls -l /srv/restic_mount/_sambarepo/snapshots
  • timestamped directories are visible in samba container: runagent -m samba1 podman exec samba-dc ls -l /srv/restic_mount/shares_backup
  • share is accessible from samba-dc container: smbclient //localhost/Backup$ -U corp\\administrator -c 'cd shares_backup; ls'
  • file access from a remote machine: copy files from the share
  • the restart trigger works: systemctl start restic-mount-restart.service
3 Likes
2

Hi and welcome to NethServer Community.

Thanks for the howto.

2 Likes