$OpenBSD: README,v 1.3 2019/03/08 14:04:24 sthen Exp $
+-----------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------
User Authentication
===================
The server uses an .htpasswd file to specify users. You can create such a file
at the root of the persistence directory (${VARBASE}/restic by default) by
executing the following command. In order to append new user to the file, just
omit the -c argument.
# su -l -s/bin/sh _restic
$ htpasswd .htpasswd username
TLS
===
By default the server uses HTTP protocol. This is not very secure since with
Basic Authentication, username and passwords will travel in cleartext in every
request. In order to enable TLS support, add the --tls argument. By default
the server will read files named "public_key" and "private_key" at the root
of your persistence directory. The location can be changed with the flags
--tls-cert and --tls-key (they must be readable by the _restic user).
The above arguments can be set by using rcctl(8):
rcctl enable restic_rest_server
rcctl set restic_rest_server flags --tls --path ${VARBASE}/restic
You can either use a certificate signed by a standard CA, or generate a
self-signed certificate with the following commands:
openssl genrsa -out private_key 4096
openssl req -new -x509 -key private_key -out public_key -days 365
The restic backend normally validates certificates using the system
CA store in /etc/ssl/cert.pem; if using a self-signed certificate, point
the restic backend at a copy of the certificate using the --cacert option.
