diff --git a/.forgejo/workflows/docker-publish.yml b/.forgejo/workflows/docker-publish.yml deleted file mode 100644 index 59016b5..0000000 --- a/.forgejo/workflows/docker-publish.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: Docker - -on: - push: - branches: [ "main" ] - tags: [ 'v*.*.*' ] - pull_request: - branches: [ "main" ] - -env: - REGISTRY: ${{ forgejo.server_url }} - IMAGE_NAME: ${{ forgejo.repository }} - -jobs: - build: - runs-on: docker - steps: - - name: Checkout repository - uses: https://code.forgejo.org/actions/checkout@v4 - - - name: Log into registry - if: forgejo.event_name != 'pull_request' - run: echo "${{ secrets.FORGEJO_TOKEN }}" | docker login ${{ env.REGISTRY }} -u ${{ forgejo.actor }} --password-stdin - - - name: Build Docker image - run: | - TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest" - if [ "${{ forgejo.ref_type }}" = "tag" ]; then - VERSION="${{ forgejo.ref_name }}" - docker build -t "$TAG" -t "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}" . - else - docker build -t "$TAG" . - fi - - - name: Push Docker image - if: forgejo.event_name != 'pull_request' - run: | - docker push --all-tags "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" diff --git a/.forgejo/workflows/shellcheck.yml b/.forgejo/workflows/shellcheck.yml deleted file mode 100644 index df53432..0000000 --- a/.forgejo/workflows/shellcheck.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: ShellCheck - -on: - push: - branches: [main] - pull_request: - branches: [main] - -jobs: - shellcheck: - runs-on: docker - steps: - - uses: https://code.forgejo.org/actions/checkout@v4 - - - name: Install ShellCheck - run: apt-get update && apt-get install -y shellcheck - - - name: Run ShellCheck - run: find ./src -name '*.sh' -exec shellcheck {} + diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 0000000..1df91f6 --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,90 @@ +name: Docker + +on: + push: + branches: [ "main" ] + # Publish semver tags as releases. + tags: [ 'v*.*.*' ] + pull_request: + branches: [ "main" ] + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 + with: + cosign-release: 'v2.2.4' + + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/Dockerfile b/Dockerfile index d7d343e..744bc0a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.21.3 +FROM alpine:3.23.3 # this is the default, but just to be explicit USER root @@ -8,7 +8,6 @@ RUN apk --no-cache add \ openssh \ bash \ coreutils \ - git \ borgbackup=1.4.0-r0 COPY src /src diff --git a/README.md b/README.md index d86a23a..87dfd8f 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ Over the past 2 years, this backup setup has enabled me to successfully restore - **Scheduled Backups**: Automates backups according to a defined schedule. - **Log Rotation**: Maintains weekly logs of all backup activities. - **Multi-Repository Backups**: Allows backups to multiple BorgBackup repositories simultaneously. -- **Healthcheck**: The healthcheck is based on the time of the last successful backup. +- **Healtcheck**: The healthcheck is based on the time of the last successful backup. ### Multi-target backups diff --git a/config/ssh_config b/config/ssh_config index a8ed7dd..7017c33 100644 --- a/config/ssh_config +++ b/config/ssh_config @@ -1,4 +1,4 @@ Host * - StrictHostKeyChecking accept-new + StrictHostKeyChecking no ServerAliveInterval 30 ServerAliveCountMax 3 diff --git a/docker-compose.yml b/docker-compose.yml index 7c56ea5..5f4b028 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,6 +3,7 @@ services: image: ghcr.io/schmelczer/backup-container:latest container_name: backup init: true + tty: true environment: - TZ=Europe/London - SLEEP_TIME=1h # we will wait an hour between backups diff --git a/src/backup-wrapper.sh b/src/backup-wrapper.sh index 577f7dd..5e99c17 100755 --- a/src/backup-wrapper.sh +++ b/src/backup-wrapper.sh @@ -1,6 +1,6 @@ #!/bin/bash -echo "Starting backup wrapper script at $(date)" +echo "Starting backup wrapper script at `date`" execute_script() { echo "Executing script with:" @@ -20,7 +20,7 @@ configure_environment() { for var in BORG_PASSPHRASE BORG_REPO; do local indexed_var_name="${var}_${index}" if [[ -n "${!indexed_var_name}" ]]; then - export "$var"="${!indexed_var_name}" + export $var="${!indexed_var_name}" else all_vars_set=false break @@ -28,12 +28,10 @@ configure_environment() { done # optional variables - local indexed_var_name="BORG_REMOTE_PATH_${index}" - if [[ -n "${!indexed_var_name}" ]]; then - export BORG_REMOTE_PATH="${!indexed_var_name}" - else - unset BORG_REMOTE_PATH - fi + for var in BORG_REMOTE_PATH; do + local indexed_var_name="${var}_${index}" + export $var="${!indexed_var_name}" + done [[ $all_vars_set == true ]] } @@ -41,11 +39,7 @@ configure_environment() { main() { if [ -n "$BORG_REPO" ]; then # fallback case if multi-target backup isn't needed - if execute_script; then - date > /health/backup_completion_time.log - else - echo "Skipping completion log due to backup failure" - fi + execute_script else local index=0 local configurations_found=false @@ -73,4 +67,4 @@ main() { main -echo "Finished backup wrapper script at $(date)" +echo "Finished backup wrapper script at `date`" diff --git a/src/backup.sh b/src/backup.sh index 11a6611..bb85da5 100755 --- a/src/backup.sh +++ b/src/backup.sh @@ -5,80 +5,46 @@ KEEP_WEEKLY=${KEEP_WEEKLY:-3} KEEP_MONTHLY=${KEEP_MONTHLY:-48} KEEP_YEARLY=${KEEP_YEARLY:-10} -echo "Starting backup script at $(date)" +echo "Starting backup script at `date`" export BORG_RSH='ssh -oBatchMode=yes' # https://borgbackup.readthedocs.io/en/stable/usage/notes.html#ssh-batch-mode # break any stale locks in case the script was interrupted borg break-lock -if ! borg info; then +borg info # test whether we have a valid repository +if [ $? -ne 0 ]; then echo "Borg info returned a non-zero status. Initializing Borg..." borg init --encryption=repokey fi -# The above command will fail if the repo hasn't been already initialized, +# The above command will fail if the repo hasn't been already initialized, # so we can ignore the return status. However, if any of the commands below fail, # we want to stop the script immediately. set -e -cleanup() { - if [ -n "${GIT_EXCLUDE_FILE:-}" ] && [ -f "$GIT_EXCLUDE_FILE" ]; then - rm -f "$GIT_EXCLUDE_FILE" - fi - if [ -d "/snapshot/btrfs-root" ]; then - cd / - btrfs subvolume delete /snapshot/btrfs-root || true - fi -} -trap cleanup EXIT - if [ -d "/snapshot/btrfs-root" ]; then btrfs subvolume delete /snapshot/btrfs-root fi btrfs subvolume snapshot /btrfs-root /snapshot -cd "/snapshot/btrfs-root${BACKUP_RELATIVE_PATH:-}" - -# Generate exclusions for git-untracked files if enabled -EXCLUDE_ARGS=(--exclude-from /exclude.conf) -if [ "${IGNORE_GIT_UNTRACKED:-false}" = "true" ]; then - echo "Generating exclusions for git-untracked files..." - GIT_EXCLUDE_FILE=$(mktemp) - - # Find all git repositories and list their untracked files - find . -name .git -type d | while read -r gitdir; do - repo_dir=$(dirname "$gitdir") - ( - cd "$repo_dir" - # Get untracked files (respecting .gitignore) - git ls-files --others --exclude-standard | while read -r file; do - # Output path relative to backup root - echo "${repo_dir#./}/$file" - done - ) - done > "$GIT_EXCLUDE_FILE" - - excluded_count=$(wc -l < "$GIT_EXCLUDE_FILE") - echo "Found $excluded_count git-untracked files to exclude" - - EXCLUDE_ARGS+=(--exclude-from "$GIT_EXCLUDE_FILE") -fi - +cd "/snapshot/btrfs-root$BACKUP_RELATIVE_PATH" borg create --stats \ --list \ --filter=AMCE \ --files-cache=ctime,size,inode \ --compression=zstd,12 \ - "${EXCLUDE_ARGS[@]}" ::"{hostname}-{now:%Y-%m-%dT%H:%M:%S}" . - + --exclude-from /exclude.conf ::"{hostname}-{now:%Y-%m-%dT%H:%M:%S}" . cd - borg prune --list --stats \ - --keep-daily="$KEEP_DAILY" \ - --keep-weekly="$KEEP_WEEKLY" \ - --keep-monthly="$KEEP_MONTHLY" \ - --keep-yearly="$KEEP_YEARLY" + --keep-daily=$KEEP_DAILY \ + --keep-weekly=$KEEP_WEEKLY \ + --keep-monthly=$KEEP_MONTHLY \ + --keep-yearly=$KEEP_YEARLY borg compact --threshold=5 --cleanup-commits --verbose --progress + +btrfs subvolume delete /snapshot/btrfs-root + diff --git a/src/healthcheck.sh b/src/healthcheck.sh index c4cb69d..ba73b99 100755 --- a/src/healthcheck.sh +++ b/src/healthcheck.sh @@ -2,26 +2,15 @@ set -e -MAX_BACKUP_AGE_SECONDS="${MAX_BACKUP_AGE_SECONDS:-86400}" - if [ -f /health/backup_completion_time.log ]; then current_time=$(date +%s) backup_time=$(date --file /health/backup_completion_time.log +%s) age_in_seconds=$((current_time - backup_time)) - - if [ "${age_in_seconds}" -lt "${MAX_BACKUP_AGE_SECONDS}" ]; then + + if [ ${age_in_seconds} -lt ${MAX_BACKUP_AGE_SECONDS} ]; then echo "Backup completed within the last ${MAX_BACKUP_AGE_SECONDS} seconds. Healthcheck passed." exit 0 fi -elif [ -f /health/container_start_time.log ]; then - current_time=$(date +%s) - start_time=$(date --file /health/container_start_time.log +%s) - age_in_seconds=$((current_time - start_time)) - - if [ "${age_in_seconds}" -lt "${MAX_BACKUP_AGE_SECONDS}" ]; then - echo "No backup completed yet, but container started less than ${MAX_BACKUP_AGE_SECONDS} seconds ago. Healthcheck passed." - exit 0 - fi fi echo "Backup not completed within the last ${MAX_BACKUP_AGE_SECONDS} seconds. Healthcheck failed." diff --git a/src/schedule.sh b/src/schedule.sh index 9aaf1f3..c7c4cdd 100755 --- a/src/schedule.sh +++ b/src/schedule.sh @@ -10,11 +10,10 @@ get_log_file_name() { echo "/backup-logs/backup_$(date +%Y)_week_$(date +%U).log" } -echo "Starting schedule script at $(date)" | log_message -date > /health/container_start_time.log +echo "Starting schedule script at `date`" | log_message while true; do - /src/backup-wrapper.sh 2>&1 | log_message + exec /src/backup-wrapper.sh 2>&1 | log_message echo "Sleeping for $SLEEP_TIME" | log_message # Using a simple sleep loop to schedule backups instead of cron to avoid concurrency issues