diff --git a/.forgejo/workflows/docker-publish.yml b/.forgejo/workflows/docker-publish.yml new file mode 100644 index 0000000..59016b5 --- /dev/null +++ b/.forgejo/workflows/docker-publish.yml @@ -0,0 +1,38 @@ +name: Docker + +on: + push: + branches: [ "main" ] + tags: [ 'v*.*.*' ] + pull_request: + branches: [ "main" ] + +env: + REGISTRY: ${{ forgejo.server_url }} + IMAGE_NAME: ${{ forgejo.repository }} + +jobs: + build: + runs-on: docker + steps: + - name: Checkout repository + uses: https://code.forgejo.org/actions/checkout@v4 + + - name: Log into registry + if: forgejo.event_name != 'pull_request' + run: echo "${{ secrets.FORGEJO_TOKEN }}" | docker login ${{ env.REGISTRY }} -u ${{ forgejo.actor }} --password-stdin + + - name: Build Docker image + run: | + TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest" + if [ "${{ forgejo.ref_type }}" = "tag" ]; then + VERSION="${{ forgejo.ref_name }}" + docker build -t "$TAG" -t "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}" . + else + docker build -t "$TAG" . + fi + + - name: Push Docker image + if: forgejo.event_name != 'pull_request' + run: | + docker push --all-tags "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" diff --git a/.forgejo/workflows/shellcheck.yml b/.forgejo/workflows/shellcheck.yml new file mode 100644 index 0000000..df53432 --- /dev/null +++ b/.forgejo/workflows/shellcheck.yml @@ -0,0 +1,19 @@ +name: ShellCheck + +on: + push: + branches: [main] + pull_request: + branches: [main] + +jobs: + shellcheck: + runs-on: docker + steps: + - uses: https://code.forgejo.org/actions/checkout@v4 + + - name: Install ShellCheck + run: apt-get update && apt-get install -y shellcheck + + - name: Run ShellCheck + run: find ./src -name '*.sh' -exec shellcheck {} + diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml deleted file mode 100644 index 1df91f6..0000000 --- a/.github/workflows/docker-publish.yml +++ /dev/null @@ -1,90 +0,0 @@ -name: Docker - -on: - push: - branches: [ "main" ] - # Publish semver tags as releases. - tags: [ 'v*.*.*' ] - pull_request: - branches: [ "main" ] - -env: - # Use docker.io for Docker Hub if empty - REGISTRY: ghcr.io - # github.repository as / - IMAGE_NAME: ${{ github.repository }} - -jobs: - build: - - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 - with: - cosign-release: 'v2.2.4' - - # Set up BuildKit Docker container builder to be able to build - # multi-platform images and export cache - # https://github.com/docker/setup-buildx-action - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/Dockerfile b/Dockerfile index 0df578d..d7d343e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,6 +8,7 @@ RUN apk --no-cache add \ openssh \ bash \ coreutils \ + git \ borgbackup=1.4.0-r0 COPY src /src diff --git a/README.md b/README.md index 87dfd8f..d86a23a 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ Over the past 2 years, this backup setup has enabled me to successfully restore - **Scheduled Backups**: Automates backups according to a defined schedule. - **Log Rotation**: Maintains weekly logs of all backup activities. - **Multi-Repository Backups**: Allows backups to multiple BorgBackup repositories simultaneously. -- **Healtcheck**: The healthcheck is based on the time of the last successful backup. +- **Healthcheck**: The healthcheck is based on the time of the last successful backup. ### Multi-target backups diff --git a/config/ssh_config b/config/ssh_config index 7017c33..a8ed7dd 100644 --- a/config/ssh_config +++ b/config/ssh_config @@ -1,4 +1,4 @@ Host * - StrictHostKeyChecking no + StrictHostKeyChecking accept-new ServerAliveInterval 30 ServerAliveCountMax 3 diff --git a/docker-compose.yml b/docker-compose.yml index 5f4b028..7c56ea5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,6 @@ services: image: ghcr.io/schmelczer/backup-container:latest container_name: backup init: true - tty: true environment: - TZ=Europe/London - SLEEP_TIME=1h # we will wait an hour between backups diff --git a/src/backup-wrapper.sh b/src/backup-wrapper.sh index 5e99c17..577f7dd 100755 --- a/src/backup-wrapper.sh +++ b/src/backup-wrapper.sh @@ -1,6 +1,6 @@ #!/bin/bash -echo "Starting backup wrapper script at `date`" +echo "Starting backup wrapper script at $(date)" execute_script() { echo "Executing script with:" @@ -20,7 +20,7 @@ configure_environment() { for var in BORG_PASSPHRASE BORG_REPO; do local indexed_var_name="${var}_${index}" if [[ -n "${!indexed_var_name}" ]]; then - export $var="${!indexed_var_name}" + export "$var"="${!indexed_var_name}" else all_vars_set=false break @@ -28,10 +28,12 @@ configure_environment() { done # optional variables - for var in BORG_REMOTE_PATH; do - local indexed_var_name="${var}_${index}" - export $var="${!indexed_var_name}" - done + local indexed_var_name="BORG_REMOTE_PATH_${index}" + if [[ -n "${!indexed_var_name}" ]]; then + export BORG_REMOTE_PATH="${!indexed_var_name}" + else + unset BORG_REMOTE_PATH + fi [[ $all_vars_set == true ]] } @@ -39,7 +41,11 @@ configure_environment() { main() { if [ -n "$BORG_REPO" ]; then # fallback case if multi-target backup isn't needed - execute_script + if execute_script; then + date > /health/backup_completion_time.log + else + echo "Skipping completion log due to backup failure" + fi else local index=0 local configurations_found=false @@ -67,4 +73,4 @@ main() { main -echo "Finished backup wrapper script at `date`" +echo "Finished backup wrapper script at $(date)" diff --git a/src/backup.sh b/src/backup.sh index bb85da5..11a6611 100755 --- a/src/backup.sh +++ b/src/backup.sh @@ -5,46 +5,80 @@ KEEP_WEEKLY=${KEEP_WEEKLY:-3} KEEP_MONTHLY=${KEEP_MONTHLY:-48} KEEP_YEARLY=${KEEP_YEARLY:-10} -echo "Starting backup script at `date`" +echo "Starting backup script at $(date)" export BORG_RSH='ssh -oBatchMode=yes' # https://borgbackup.readthedocs.io/en/stable/usage/notes.html#ssh-batch-mode # break any stale locks in case the script was interrupted borg break-lock -borg info # test whether we have a valid repository -if [ $? -ne 0 ]; then +if ! borg info; then echo "Borg info returned a non-zero status. Initializing Borg..." borg init --encryption=repokey fi -# The above command will fail if the repo hasn't been already initialized, +# The above command will fail if the repo hasn't been already initialized, # so we can ignore the return status. However, if any of the commands below fail, # we want to stop the script immediately. set -e +cleanup() { + if [ -n "${GIT_EXCLUDE_FILE:-}" ] && [ -f "$GIT_EXCLUDE_FILE" ]; then + rm -f "$GIT_EXCLUDE_FILE" + fi + if [ -d "/snapshot/btrfs-root" ]; then + cd / + btrfs subvolume delete /snapshot/btrfs-root || true + fi +} +trap cleanup EXIT + if [ -d "/snapshot/btrfs-root" ]; then btrfs subvolume delete /snapshot/btrfs-root fi btrfs subvolume snapshot /btrfs-root /snapshot -cd "/snapshot/btrfs-root$BACKUP_RELATIVE_PATH" +cd "/snapshot/btrfs-root${BACKUP_RELATIVE_PATH:-}" + +# Generate exclusions for git-untracked files if enabled +EXCLUDE_ARGS=(--exclude-from /exclude.conf) +if [ "${IGNORE_GIT_UNTRACKED:-false}" = "true" ]; then + echo "Generating exclusions for git-untracked files..." + GIT_EXCLUDE_FILE=$(mktemp) + + # Find all git repositories and list their untracked files + find . -name .git -type d | while read -r gitdir; do + repo_dir=$(dirname "$gitdir") + ( + cd "$repo_dir" + # Get untracked files (respecting .gitignore) + git ls-files --others --exclude-standard | while read -r file; do + # Output path relative to backup root + echo "${repo_dir#./}/$file" + done + ) + done > "$GIT_EXCLUDE_FILE" + + excluded_count=$(wc -l < "$GIT_EXCLUDE_FILE") + echo "Found $excluded_count git-untracked files to exclude" + + EXCLUDE_ARGS+=(--exclude-from "$GIT_EXCLUDE_FILE") +fi + borg create --stats \ --list \ --filter=AMCE \ --files-cache=ctime,size,inode \ --compression=zstd,12 \ - --exclude-from /exclude.conf ::"{hostname}-{now:%Y-%m-%dT%H:%M:%S}" . + "${EXCLUDE_ARGS[@]}" ::"{hostname}-{now:%Y-%m-%dT%H:%M:%S}" . + cd - borg prune --list --stats \ - --keep-daily=$KEEP_DAILY \ - --keep-weekly=$KEEP_WEEKLY \ - --keep-monthly=$KEEP_MONTHLY \ - --keep-yearly=$KEEP_YEARLY + --keep-daily="$KEEP_DAILY" \ + --keep-weekly="$KEEP_WEEKLY" \ + --keep-monthly="$KEEP_MONTHLY" \ + --keep-yearly="$KEEP_YEARLY" borg compact --threshold=5 --cleanup-commits --verbose --progress - -btrfs subvolume delete /snapshot/btrfs-root - diff --git a/src/healthcheck.sh b/src/healthcheck.sh index ba73b99..c4cb69d 100755 --- a/src/healthcheck.sh +++ b/src/healthcheck.sh @@ -2,15 +2,26 @@ set -e +MAX_BACKUP_AGE_SECONDS="${MAX_BACKUP_AGE_SECONDS:-86400}" + if [ -f /health/backup_completion_time.log ]; then current_time=$(date +%s) backup_time=$(date --file /health/backup_completion_time.log +%s) age_in_seconds=$((current_time - backup_time)) - - if [ ${age_in_seconds} -lt ${MAX_BACKUP_AGE_SECONDS} ]; then + + if [ "${age_in_seconds}" -lt "${MAX_BACKUP_AGE_SECONDS}" ]; then echo "Backup completed within the last ${MAX_BACKUP_AGE_SECONDS} seconds. Healthcheck passed." exit 0 fi +elif [ -f /health/container_start_time.log ]; then + current_time=$(date +%s) + start_time=$(date --file /health/container_start_time.log +%s) + age_in_seconds=$((current_time - start_time)) + + if [ "${age_in_seconds}" -lt "${MAX_BACKUP_AGE_SECONDS}" ]; then + echo "No backup completed yet, but container started less than ${MAX_BACKUP_AGE_SECONDS} seconds ago. Healthcheck passed." + exit 0 + fi fi echo "Backup not completed within the last ${MAX_BACKUP_AGE_SECONDS} seconds. Healthcheck failed." diff --git a/src/schedule.sh b/src/schedule.sh index c7c4cdd..9aaf1f3 100755 --- a/src/schedule.sh +++ b/src/schedule.sh @@ -10,10 +10,11 @@ get_log_file_name() { echo "/backup-logs/backup_$(date +%Y)_week_$(date +%U).log" } -echo "Starting schedule script at `date`" | log_message +echo "Starting schedule script at $(date)" | log_message +date > /health/container_start_time.log while true; do - exec /src/backup-wrapper.sh 2>&1 | log_message + /src/backup-wrapper.sh 2>&1 | log_message echo "Sleeping for $SLEEP_TIME" | log_message # Using a simple sleep loop to schedule backups instead of cron to avoid concurrency issues