Compare commits
1 commit
main
...
dependabot
| Author | SHA1 | Date | |
|---|---|---|---|
|
c65b29f039 |
11 changed files with 119 additions and 138 deletions
|
|
@ -1,38 +0,0 @@
|
|||
name: Docker
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "main" ]
|
||||
tags: [ 'v*.*.*' ]
|
||||
pull_request:
|
||||
branches: [ "main" ]
|
||||
|
||||
env:
|
||||
REGISTRY: ${{ forgejo.server_url }}
|
||||
IMAGE_NAME: ${{ forgejo.repository }}
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: docker
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: https://code.forgejo.org/actions/checkout@v4
|
||||
|
||||
- name: Log into registry
|
||||
if: forgejo.event_name != 'pull_request'
|
||||
run: echo "${{ secrets.FORGEJO_TOKEN }}" | docker login ${{ env.REGISTRY }} -u ${{ forgejo.actor }} --password-stdin
|
||||
|
||||
- name: Build Docker image
|
||||
run: |
|
||||
TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
|
||||
if [ "${{ forgejo.ref_type }}" = "tag" ]; then
|
||||
VERSION="${{ forgejo.ref_name }}"
|
||||
docker build -t "$TAG" -t "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}" .
|
||||
else
|
||||
docker build -t "$TAG" .
|
||||
fi
|
||||
|
||||
- name: Push Docker image
|
||||
if: forgejo.event_name != 'pull_request'
|
||||
run: |
|
||||
docker push --all-tags "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
name: ShellCheck
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
pull_request:
|
||||
branches: [main]
|
||||
|
||||
jobs:
|
||||
shellcheck:
|
||||
runs-on: docker
|
||||
steps:
|
||||
- uses: https://code.forgejo.org/actions/checkout@v4
|
||||
|
||||
- name: Install ShellCheck
|
||||
run: apt-get update && apt-get install -y shellcheck
|
||||
|
||||
- name: Run ShellCheck
|
||||
run: find ./src -name '*.sh' -exec shellcheck {} +
|
||||
90
.github/workflows/docker-publish.yml
vendored
Normal file
90
.github/workflows/docker-publish.yml
vendored
Normal file
|
|
@ -0,0 +1,90 @@
|
|||
name: Docker
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "main" ]
|
||||
# Publish semver tags as releases.
|
||||
tags: [ 'v*.*.*' ]
|
||||
pull_request:
|
||||
branches: [ "main" ]
|
||||
|
||||
env:
|
||||
# Use docker.io for Docker Hub if empty
|
||||
REGISTRY: ghcr.io
|
||||
# github.repository as <account>/<repo>
|
||||
IMAGE_NAME: ${{ github.repository }}
|
||||
|
||||
jobs:
|
||||
build:
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
# This is used to complete the identity challenge
|
||||
# with sigstore/fulcio when running outside of PRs.
|
||||
id-token: write
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Install the cosign tool except on PR
|
||||
# https://github.com/sigstore/cosign-installer
|
||||
- name: Install cosign
|
||||
if: github.event_name != 'pull_request'
|
||||
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
|
||||
with:
|
||||
cosign-release: 'v2.2.4'
|
||||
|
||||
# Set up BuildKit Docker container builder to be able to build
|
||||
# multi-platform images and export cache
|
||||
# https://github.com/docker/setup-buildx-action
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
|
||||
|
||||
# Login against a Docker registry except on PR
|
||||
# https://github.com/docker/login-action
|
||||
- name: Log into registry ${{ env.REGISTRY }}
|
||||
if: github.event_name != 'pull_request'
|
||||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
||||
with:
|
||||
registry: ${{ env.REGISTRY }}
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
# Extract metadata (tags, labels) for Docker
|
||||
# https://github.com/docker/metadata-action
|
||||
- name: Extract Docker metadata
|
||||
id: meta
|
||||
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
|
||||
with:
|
||||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
||||
|
||||
# Build and push Docker image with Buildx (don't push on PR)
|
||||
# https://github.com/docker/build-push-action
|
||||
- name: Build and push Docker image
|
||||
id: build-and-push
|
||||
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
|
||||
with:
|
||||
context: .
|
||||
push: ${{ github.event_name != 'pull_request' }}
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
|
||||
# Sign the resulting Docker image digest except on PRs.
|
||||
# This will only write to the public Rekor transparency log when the Docker
|
||||
# repository is public to avoid leaking data. If you would like to publish
|
||||
# transparency data even for private images, pass --force to cosign below.
|
||||
# https://github.com/sigstore/cosign
|
||||
- name: Sign the published Docker image
|
||||
if: ${{ github.event_name != 'pull_request' }}
|
||||
env:
|
||||
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
DIGEST: ${{ steps.build-and-push.outputs.digest }}
|
||||
# This step uses the identity token to provision an ephemeral certificate
|
||||
# against the sigstore community Fulcio instance.
|
||||
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
FROM alpine:3.21.3
|
||||
FROM alpine:3.23.3
|
||||
|
||||
# this is the default, but just to be explicit
|
||||
USER root
|
||||
|
|
@ -8,7 +8,6 @@ RUN apk --no-cache add \
|
|||
openssh \
|
||||
bash \
|
||||
coreutils \
|
||||
git \
|
||||
borgbackup=1.4.0-r0
|
||||
|
||||
COPY src /src
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ Over the past 2 years, this backup setup has enabled me to successfully restore
|
|||
- **Scheduled Backups**: Automates backups according to a defined schedule.
|
||||
- **Log Rotation**: Maintains weekly logs of all backup activities.
|
||||
- **Multi-Repository Backups**: Allows backups to multiple BorgBackup repositories simultaneously.
|
||||
- **Healthcheck**: The healthcheck is based on the time of the last successful backup.
|
||||
- **Healtcheck**: The healthcheck is based on the time of the last successful backup.
|
||||
|
||||
### Multi-target backups
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
Host *
|
||||
StrictHostKeyChecking accept-new
|
||||
StrictHostKeyChecking no
|
||||
ServerAliveInterval 30
|
||||
ServerAliveCountMax 3
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ services:
|
|||
image: ghcr.io/schmelczer/backup-container:latest
|
||||
container_name: backup
|
||||
init: true
|
||||
tty: true
|
||||
environment:
|
||||
- TZ=Europe/London
|
||||
- SLEEP_TIME=1h # we will wait an hour between backups
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
#!/bin/bash
|
||||
|
||||
echo "Starting backup wrapper script at $(date)"
|
||||
echo "Starting backup wrapper script at `date`"
|
||||
|
||||
execute_script() {
|
||||
echo "Executing script with:"
|
||||
|
|
@ -20,7 +20,7 @@ configure_environment() {
|
|||
for var in BORG_PASSPHRASE BORG_REPO; do
|
||||
local indexed_var_name="${var}_${index}"
|
||||
if [[ -n "${!indexed_var_name}" ]]; then
|
||||
export "$var"="${!indexed_var_name}"
|
||||
export $var="${!indexed_var_name}"
|
||||
else
|
||||
all_vars_set=false
|
||||
break
|
||||
|
|
@ -28,12 +28,10 @@ configure_environment() {
|
|||
done
|
||||
|
||||
# optional variables
|
||||
local indexed_var_name="BORG_REMOTE_PATH_${index}"
|
||||
if [[ -n "${!indexed_var_name}" ]]; then
|
||||
export BORG_REMOTE_PATH="${!indexed_var_name}"
|
||||
else
|
||||
unset BORG_REMOTE_PATH
|
||||
fi
|
||||
for var in BORG_REMOTE_PATH; do
|
||||
local indexed_var_name="${var}_${index}"
|
||||
export $var="${!indexed_var_name}"
|
||||
done
|
||||
|
||||
[[ $all_vars_set == true ]]
|
||||
}
|
||||
|
|
@ -41,11 +39,7 @@ configure_environment() {
|
|||
main() {
|
||||
if [ -n "$BORG_REPO" ]; then
|
||||
# fallback case if multi-target backup isn't needed
|
||||
if execute_script; then
|
||||
date > /health/backup_completion_time.log
|
||||
else
|
||||
echo "Skipping completion log due to backup failure"
|
||||
fi
|
||||
execute_script
|
||||
else
|
||||
local index=0
|
||||
local configurations_found=false
|
||||
|
|
@ -73,4 +67,4 @@ main() {
|
|||
|
||||
main
|
||||
|
||||
echo "Finished backup wrapper script at $(date)"
|
||||
echo "Finished backup wrapper script at `date`"
|
||||
|
|
|
|||
|
|
@ -5,80 +5,46 @@ KEEP_WEEKLY=${KEEP_WEEKLY:-3}
|
|||
KEEP_MONTHLY=${KEEP_MONTHLY:-48}
|
||||
KEEP_YEARLY=${KEEP_YEARLY:-10}
|
||||
|
||||
echo "Starting backup script at $(date)"
|
||||
echo "Starting backup script at `date`"
|
||||
|
||||
export BORG_RSH='ssh -oBatchMode=yes' # https://borgbackup.readthedocs.io/en/stable/usage/notes.html#ssh-batch-mode
|
||||
|
||||
# break any stale locks in case the script was interrupted
|
||||
borg break-lock
|
||||
|
||||
if ! borg info; then
|
||||
borg info # test whether we have a valid repository
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Borg info returned a non-zero status. Initializing Borg..."
|
||||
borg init --encryption=repokey
|
||||
fi
|
||||
|
||||
# The above command will fail if the repo hasn't been already initialized,
|
||||
# The above command will fail if the repo hasn't been already initialized,
|
||||
# so we can ignore the return status. However, if any of the commands below fail,
|
||||
# we want to stop the script immediately.
|
||||
set -e
|
||||
|
||||
cleanup() {
|
||||
if [ -n "${GIT_EXCLUDE_FILE:-}" ] && [ -f "$GIT_EXCLUDE_FILE" ]; then
|
||||
rm -f "$GIT_EXCLUDE_FILE"
|
||||
fi
|
||||
if [ -d "/snapshot/btrfs-root" ]; then
|
||||
cd /
|
||||
btrfs subvolume delete /snapshot/btrfs-root || true
|
||||
fi
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
if [ -d "/snapshot/btrfs-root" ]; then
|
||||
btrfs subvolume delete /snapshot/btrfs-root
|
||||
fi
|
||||
|
||||
btrfs subvolume snapshot /btrfs-root /snapshot
|
||||
|
||||
cd "/snapshot/btrfs-root${BACKUP_RELATIVE_PATH:-}"
|
||||
|
||||
# Generate exclusions for git-untracked files if enabled
|
||||
EXCLUDE_ARGS=(--exclude-from /exclude.conf)
|
||||
if [ "${IGNORE_GIT_UNTRACKED:-false}" = "true" ]; then
|
||||
echo "Generating exclusions for git-untracked files..."
|
||||
GIT_EXCLUDE_FILE=$(mktemp)
|
||||
|
||||
# Find all git repositories and list their untracked files
|
||||
find . -name .git -type d | while read -r gitdir; do
|
||||
repo_dir=$(dirname "$gitdir")
|
||||
(
|
||||
cd "$repo_dir"
|
||||
# Get untracked files (respecting .gitignore)
|
||||
git ls-files --others --exclude-standard | while read -r file; do
|
||||
# Output path relative to backup root
|
||||
echo "${repo_dir#./}/$file"
|
||||
done
|
||||
)
|
||||
done > "$GIT_EXCLUDE_FILE"
|
||||
|
||||
excluded_count=$(wc -l < "$GIT_EXCLUDE_FILE")
|
||||
echo "Found $excluded_count git-untracked files to exclude"
|
||||
|
||||
EXCLUDE_ARGS+=(--exclude-from "$GIT_EXCLUDE_FILE")
|
||||
fi
|
||||
|
||||
cd "/snapshot/btrfs-root$BACKUP_RELATIVE_PATH"
|
||||
borg create --stats \
|
||||
--list \
|
||||
--filter=AMCE \
|
||||
--files-cache=ctime,size,inode \
|
||||
--compression=zstd,12 \
|
||||
"${EXCLUDE_ARGS[@]}" ::"{hostname}-{now:%Y-%m-%dT%H:%M:%S}" .
|
||||
|
||||
--exclude-from /exclude.conf ::"{hostname}-{now:%Y-%m-%dT%H:%M:%S}" .
|
||||
cd -
|
||||
|
||||
borg prune --list --stats \
|
||||
--keep-daily="$KEEP_DAILY" \
|
||||
--keep-weekly="$KEEP_WEEKLY" \
|
||||
--keep-monthly="$KEEP_MONTHLY" \
|
||||
--keep-yearly="$KEEP_YEARLY"
|
||||
--keep-daily=$KEEP_DAILY \
|
||||
--keep-weekly=$KEEP_WEEKLY \
|
||||
--keep-monthly=$KEEP_MONTHLY \
|
||||
--keep-yearly=$KEEP_YEARLY
|
||||
|
||||
borg compact --threshold=5 --cleanup-commits --verbose --progress
|
||||
|
||||
btrfs subvolume delete /snapshot/btrfs-root
|
||||
|
||||
|
|
|
|||
|
|
@ -2,26 +2,15 @@
|
|||
|
||||
set -e
|
||||
|
||||
MAX_BACKUP_AGE_SECONDS="${MAX_BACKUP_AGE_SECONDS:-86400}"
|
||||
|
||||
if [ -f /health/backup_completion_time.log ]; then
|
||||
current_time=$(date +%s)
|
||||
backup_time=$(date --file /health/backup_completion_time.log +%s)
|
||||
age_in_seconds=$((current_time - backup_time))
|
||||
|
||||
if [ "${age_in_seconds}" -lt "${MAX_BACKUP_AGE_SECONDS}" ]; then
|
||||
|
||||
if [ ${age_in_seconds} -lt ${MAX_BACKUP_AGE_SECONDS} ]; then
|
||||
echo "Backup completed within the last ${MAX_BACKUP_AGE_SECONDS} seconds. Healthcheck passed."
|
||||
exit 0
|
||||
fi
|
||||
elif [ -f /health/container_start_time.log ]; then
|
||||
current_time=$(date +%s)
|
||||
start_time=$(date --file /health/container_start_time.log +%s)
|
||||
age_in_seconds=$((current_time - start_time))
|
||||
|
||||
if [ "${age_in_seconds}" -lt "${MAX_BACKUP_AGE_SECONDS}" ]; then
|
||||
echo "No backup completed yet, but container started less than ${MAX_BACKUP_AGE_SECONDS} seconds ago. Healthcheck passed."
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "Backup not completed within the last ${MAX_BACKUP_AGE_SECONDS} seconds. Healthcheck failed."
|
||||
|
|
|
|||
|
|
@ -10,11 +10,10 @@ get_log_file_name() {
|
|||
echo "/backup-logs/backup_$(date +%Y)_week_$(date +%U).log"
|
||||
}
|
||||
|
||||
echo "Starting schedule script at $(date)" | log_message
|
||||
date > /health/container_start_time.log
|
||||
echo "Starting schedule script at `date`" | log_message
|
||||
|
||||
while true; do
|
||||
/src/backup-wrapper.sh 2>&1 | log_message
|
||||
exec /src/backup-wrapper.sh 2>&1 | log_message
|
||||
echo "Sleeping for $SLEEP_TIME" | log_message
|
||||
|
||||
# Using a simple sleep loop to schedule backups instead of cron to avoid concurrency issues
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue