Hi, Matvei! Happy to help, but I’m not sure that our setup is close enough to make my explanation useful. So, feel free to ask about details or criticize my suggestions — they could be suboptimal.
In my case, I alread had:
- Rclone with encrypted config.
- Kopia with generated TLS certificate and an added user.
In this case, all we need is:
- Allow kopia to work with encrypted rclone config.
- Make macOS to run kopia as a daemon.
Allow kopia work with encrypted rclone config
We are going to run Rclone with Kopia, so we aren’t able to input the password interactively. So we’ll put the password in rclone environment variable RCLONE_PASSWORD_COMMAND
.
- On macOS we can save our password to keychain with command-line util security. Run in terminal:
security add-generic-password -a ACCOUNT -s SERVICE -w PASSWORD
You can put anything in place of ACCOUNT and SERVICE, these need only for further references. And instead of PASSWORD put your rclone password.
- To put the password into
RCLONE_PASSWORD_COMMAN
and test it, run:
export RCLONE_PASSWORD_COMMAND='security find-generic-password -a ACCOUNT -s SERVICE -w'
rclone config
Replace ACCOUNT and SERVICE with values you’ve used in the previous step.
If everything is fine, rclone config will be opened without asking your password for decryption.
Now, if you run kopia server from the same terminal instance, it will be able to access the encrypted rclone config. In a new terminal instance repeating of “export…” command will be needed.
Make macOS to run kopia as daemon
Create a new file at ~/Library/LaunchAgents/com.example.kopia.plist.
My example: kopia plist template · GitHub
Few notes:
<dict>
<key>RCLONE_PASSWORD_COMMAND</key>
<string>/usr/bin/security find-generic-password -a ACCOUNT -s SERVICE -w</string>
</dict>
Here we do the same thing as before: putting the rclone password to the environment variable. So replace values with your ones.
<array>
<string>/opt/homebrew/bin/kopia</string>
<string>server</string>
<string>start</string>
<string>--tls-cert-file=PATH_CERT_PATH</string>
<string>--tls-key-file=KEY_CERT_PATH</string>
<string>--address=0.0.0.0:51515</string>
<string>--server-username=KOPIA_USER</string>
</array>
These options depend on your setup and the prefered authentication method.
<key>Debug</key>
<true/>
<key>StandardOutPath</key>
<string>PATH_LOGS</string>
<key>StandardErrorPath</key>
<string>PATH_ERROR_LOGS</string>
This section can be omitted. I still watch logs as I’m quite new with kopia. If you also prefer to save logs, replace PATH_LOGS and PATH_ERROR_LOGS with paths of choice. Or remove this section.
With plist file saved, three commands will help to test it:
Run daemon:
bootstrap gui/501 ~/Library/LaunchAgents/com.example.kopia.plist
Stop daemon:
bootout gui/501 ~/Library/LaunchAgents/com.example.kopia.plist
Check if daemon is running:
launchctl list | grep kopia
That’s it. Please, let me know if I’ve missed something. I sure have.