Run on self-hosted runner

.forgejo/workflows/docker-publish.yml

@@ -0,0 +1,38 @@
+name: Docker
+
+on:
+  push:
+    branches: [ "main" ]
+    tags: [ 'v*.*.*' ]
+  pull_request:
+    branches: [ "main" ]
+
+env:
+  REGISTRY: ${{ forgejo.server_url }}
+  IMAGE_NAME: ${{ forgejo.repository }}
+
+jobs:
+  build:
+    runs-on: docker
+    steps:
+      - name: Checkout repository
+        uses: https://code.forgejo.org/actions/checkout@v4
+
+      - name: Log into registry
+        if: forgejo.event_name != 'pull_request'
+        run: echo "${{ secrets.FORGEJO_TOKEN }}" | docker login ${{ env.REGISTRY }} -u ${{ forgejo.actor }} --password-stdin
+
+      - name: Build Docker image
+        run: |
+          TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
+          if [ "${{ forgejo.ref_type }}" = "tag" ]; then
+            VERSION="${{ forgejo.ref_name }}"
+            docker build -t "$TAG" -t "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}" .
+          else
+            docker build -t "$TAG" .
+          fi
+
+      - name: Push Docker image
+        if: forgejo.event_name != 'pull_request'
+        run: |
+          docker push --all-tags "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"

.forgejo/workflows/shellcheck.yml

@@ -0,0 +1,19 @@
+name: ShellCheck
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  shellcheck:
+    runs-on: docker
+    steps:
+      - uses: https://code.forgejo.org/actions/checkout@v4
+
+      - name: Install ShellCheck
+        run: apt-get update && apt-get install -y shellcheck
+
+      - name: Run ShellCheck
+        run: find ./src -name '*.sh' -exec shellcheck {} +

.github/workflows/docker-publish.yml

@@ -1,90 +0,0 @@
-name: Docker
-
-on:
-  push:
-    branches: [ "main" ]
-    # Publish semver tags as releases.
-    tags: [ 'v*.*.*' ]
-  pull_request:
-    branches: [ "main" ]
-
-env:
-  # Use docker.io for Docker Hub if empty
-  REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
-  IMAGE_NAME: ${{ github.repository }}
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
-      id-token: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      # Install the cosign tool except on PR
-      # https://github.com/sigstore/cosign-installer
-      - name: Install cosign
-        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
-        with:
-          cosign-release: 'v2.2.4'
-
-      # Set up BuildKit Docker container builder to be able to build
-      # multi-platform images and export cache
-      # https://github.com/docker/setup-buildx-action
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-
-      # Login against a Docker registry except on PR
-      # https://github.com/docker/login-action
-      - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
-      - name: Build and push Docker image
-        id: build-and-push
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
-        with:
-          context: .
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      # Sign the resulting Docker image digest except on PRs.
-      # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
-      # transparency data even for private images, pass --force to cosign below.
-      # https://github.com/sigstore/cosign
-      - name: Sign the published Docker image
-        if: ${{ github.event_name != 'pull_request' }}
-        env:
-          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
-          TAGS: ${{ steps.meta.outputs.tags }}
-          DIGEST: ${{ steps.build-and-push.outputs.digest }}
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
-        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

Dockerfile

@@ -8,15 +8,15 @@ RUN apk --no-cache add \
     openssh \
     bash \
     coreutils \
+    git \
     borgbackup=1.4.0-r0
 
 COPY src /src
 COPY config/ssh_config /etc/ssh/
 COPY config/exclude.conf /exclude.conf
 
-
 # Add healthcheck to verify backup completed within allowed time
 ENV MAX_BACKUP_AGE_SECONDS=86400
-HEALTHCHECK --interval=10s --timeout=10s --start-period=1h CMD /src/healthcheck.sh
+HEALTHCHECK --interval=10s --timeout=10s CMD /src/healthcheck.sh
 
 ENTRYPOINT ["sh", "-c", "/src/schedule.sh"]

README.md

@@ -19,7 +19,7 @@ Over the past 2 years, this backup setup has enabled me to successfully restore
 - **Scheduled Backups**: Automates backups according to a defined schedule.
 - **Log Rotation**: Maintains weekly logs of all backup activities.
 - **Multi-Repository Backups**: Allows backups to multiple BorgBackup repositories simultaneously.
-- **Healtcheck**: The healthcheck is based on the time of the last successful backup.
+- **Healthcheck**: The healthcheck is based on the time of the last successful backup.
 
 ### Multi-target backups
 

config/ssh_config

@@ -1,4 +1,4 @@
 Host *
-    StrictHostKeyChecking no
+    StrictHostKeyChecking accept-new
     ServerAliveInterval 30
     ServerAliveCountMax 3

docker-compose.yml

@@ -3,7 +3,6 @@ services:
     image: ghcr.io/schmelczer/backup-container:latest
     container_name: backup
     init: true
-    tty: true
     environment:
       - TZ=Europe/London
       - SLEEP_TIME=1h # we will wait an hour between backups
@@ -26,11 +25,14 @@ services:
       # Used for determining the health of the container
       - MAX_BACKUP_AGE_SECONDS=86400 # default: 86400 (1d)
     volumes:
-      - /volumes:/source:ro # we backup this folder (which is a BTRFS volume), we mustn't change it, so it's readonly
+      - /:/btrfs-root:ro
       - /volumes/backup:/snapshot # we must mount a path to a folder on the BTRFS disk for the snapshot to be put at, this is just a temporary path
       - /volumes/backup/logs:/backup-logs # we will store the output of the backup commands in this folder
+      
       - borg-cache:/root/.cache/borg # speed up subsequent backups
 
+      - health-flag:/health # this is used to determine if the backup was successful and when it was last run
+
       - /bulk/backup:/local-backup # this is an example target backup path for BORG_REPO_1 from above
       - /volumes/backup/config/id_rsa:/root/.ssh/id_rsa # this is an example for mounting an ssh key for a remote repo (BORG_REPO_0 above)
 
@@ -40,3 +42,4 @@ services:
 
 volumes:
   borg-cache:
+  health-flag:

src/backup-wrapper.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-echo "Starting backup wrapper script at `date`"
+echo "Starting backup wrapper script at $(date)"
 
 execute_script() {
     echo "Executing script with:"
@@ -20,7 +20,7 @@ configure_environment() {
     for var in BORG_PASSPHRASE BORG_REPO; do
         local indexed_var_name="${var}_${index}"
         if [[ -n "${!indexed_var_name}" ]]; then
-            export $var="${!indexed_var_name}"
+            export "$var"="${!indexed_var_name}"
         else
             all_vars_set=false
             break
@@ -28,10 +28,12 @@ configure_environment() {
     done
 
     # optional variables
-    for var in BORG_REMOTE_PATH; do
+    local indexed_var_name="BORG_REMOTE_PATH_${index}"
-        local indexed_var_name="${var}_${index}"
+    if [[ -n "${!indexed_var_name}" ]]; then
-        export $var="${!indexed_var_name}"
+        export BORG_REMOTE_PATH="${!indexed_var_name}"
-    done
+    else
+        unset BORG_REMOTE_PATH
+    fi
 
     [[ $all_vars_set == true ]]
 }
@@ -39,18 +41,30 @@ configure_environment() {
 main() {
     if [ -n "$BORG_REPO" ]; then
         # fallback case if multi-target backup isn't needed
-        execute_script
+        if execute_script; then
+            date > /health/backup_completion_time.log
+        else
+            echo "Skipping completion log due to backup failure"
+        fi
     else
         local index=0
         local configurations_found=false
+        local any_failed=false
 
         while configure_environment $index; do
-            execute_script || true
+            execute_script || any_failed=true
             configurations_found=true
             unset BORG_PASSPHRASE BORG_REMOTE_PATH BORG_REPO
             ((index++))
         done
 
+        echo "Finished backup script at $(date)"
+        if [[ $any_failed == false ]]; then
+            date > /health/backup_completion_time.log # this used by the healtcheck
+        else
+            echo "Skipping completion log due to backup failure(s)"
+        fi
+
         if [[ $configurations_found == false ]]; then
             echo "No valid configuration found. Please ensure environment variables are set properly."
         fi
@@ -59,4 +73,4 @@ main() {
 
 main
 
-echo "Finished backup wrapper script at `date`"
+echo "Finished backup wrapper script at $(date)"

src/backup.sh

@@ -5,48 +5,80 @@ KEEP_WEEKLY=${KEEP_WEEKLY:-3}
 KEEP_MONTHLY=${KEEP_MONTHLY:-48}
 KEEP_YEARLY=${KEEP_YEARLY:-10}
 
-echo "Starting backup script at `date`"
+echo "Starting backup script at $(date)"
 
 export BORG_RSH='ssh -oBatchMode=yes' # https://borgbackup.readthedocs.io/en/stable/usage/notes.html#ssh-batch-mode
 
 # break any stale locks in case the script was interrupted
 borg break-lock
 
-borg info # test whether we have a valid repository
+if ! borg info; then
-if [ $? -ne 0 ]; then
     echo "Borg info returned a non-zero status. Initializing Borg..."
     borg init --encryption=repokey
 fi
 
-# The above command will fail if the repo hasn't been already initialized, 
+# The above command will fail if the repo hasn't been already initialized,
 # so we can ignore the return status. However, if any of the commands below fail,
 # we want to stop the script immediately.
 set -e
 
-if [ -d "/snapshot/source" ]; then
+cleanup() {
-    btrfs subvolume delete /snapshot/source
+    if [ -n "${GIT_EXCLUDE_FILE:-}" ] && [ -f "$GIT_EXCLUDE_FILE" ]; then
+        rm -f "$GIT_EXCLUDE_FILE"
+    fi
+    if [ -d "/snapshot/btrfs-root" ]; then
+        cd /
+        btrfs subvolume delete /snapshot/btrfs-root || true
+    fi
+}
+trap cleanup EXIT
+
+if [ -d "/snapshot/btrfs-root" ]; then
+    btrfs subvolume delete /snapshot/btrfs-root
 fi
 
-btrfs subvolume snapshot /source /snapshot
+btrfs subvolume snapshot /btrfs-root /snapshot
+
+cd "/snapshot/btrfs-root${BACKUP_RELATIVE_PATH:-}"
+
+# Generate exclusions for git-untracked files if enabled
+EXCLUDE_ARGS=(--exclude-from /exclude.conf)
+if [ "${IGNORE_GIT_UNTRACKED:-false}" = "true" ]; then
+    echo "Generating exclusions for git-untracked files..."
+    GIT_EXCLUDE_FILE=$(mktemp)
+
+    # Find all git repositories and list their untracked files
+    find . -name .git -type d | while read -r gitdir; do
+        repo_dir=$(dirname "$gitdir")
+        (
+            cd "$repo_dir"
+            # Get untracked files (respecting .gitignore)
+            git ls-files --others --exclude-standard | while read -r file; do
+                # Output path relative to backup root
+                echo "${repo_dir#./}/$file"
+            done
+        )
+    done > "$GIT_EXCLUDE_FILE"
+
+    excluded_count=$(wc -l < "$GIT_EXCLUDE_FILE")
+    echo "Found $excluded_count git-untracked files to exclude"
+
+    EXCLUDE_ARGS+=(--exclude-from "$GIT_EXCLUDE_FILE")
+fi
 
-cd /snapshot/source
 borg create --stats \
     --list \
     --filter=AMCE \
     --files-cache=ctime,size,inode \
     --compression=zstd,12 \
-    --exclude-from /exclude.conf ::"{hostname}-{now:%Y-%m-%dT%H:%M:%S}" .
+    "${EXCLUDE_ARGS[@]}" ::"{hostname}-{now:%Y-%m-%dT%H:%M:%S}" .
+
 cd -
 
 borg prune --list --stats \
-    --keep-daily=$KEEP_DAILY \
+    --keep-daily="$KEEP_DAILY" \
-    --keep-weekly=$KEEP_WEEKLY \
+    --keep-weekly="$KEEP_WEEKLY" \
-    --keep-monthly=$KEEP_MONTHLY \
+    --keep-monthly="$KEEP_MONTHLY" \
-    --keep-yearly=$KEEP_YEARLY
+    --keep-yearly="$KEEP_YEARLY"
 
 borg compact --threshold=5 --cleanup-commits --verbose --progress
-
-btrfs subvolume delete /snapshot/source
-
-echo "Finished backup script at `date`"
-date > /backup_completion_time.log # this used by the healtcheck

src/healthcheck.sh

@@ -2,15 +2,26 @@
 
 set -e
 
-if [ -f /backup_completion_time.log ]; then
+MAX_BACKUP_AGE_SECONDS="${MAX_BACKUP_AGE_SECONDS:-86400}"
+
+if [ -f /health/backup_completion_time.log ]; then
     current_time=$(date +%s)
-    backup_time=$(date --file /backup_completion_time.log +%s)
+    backup_time=$(date --file /health/backup_completion_time.log +%s)
     age_in_seconds=$((current_time - backup_time))
-    
+
-    if [ ${age_in_seconds} -lt ${MAX_BACKUP_AGE_SECONDS} ]; then
+    if [ "${age_in_seconds}" -lt "${MAX_BACKUP_AGE_SECONDS}" ]; then
         echo "Backup completed within the last ${MAX_BACKUP_AGE_SECONDS} seconds. Healthcheck passed."
         exit 0
     fi
+elif [ -f /health/container_start_time.log ]; then
+    current_time=$(date +%s)
+    start_time=$(date --file /health/container_start_time.log +%s)
+    age_in_seconds=$((current_time - start_time))
+
+    if [ "${age_in_seconds}" -lt "${MAX_BACKUP_AGE_SECONDS}" ]; then
+        echo "No backup completed yet, but container started less than ${MAX_BACKUP_AGE_SECONDS} seconds ago. Healthcheck passed."
+        exit 0
+    fi
 fi
 
 echo "Backup not completed within the last ${MAX_BACKUP_AGE_SECONDS} seconds. Healthcheck failed."

src/schedule.sh

@@ -10,10 +10,11 @@ get_log_file_name() {
     echo "/backup-logs/backup_$(date +%Y)_week_$(date +%U).log"
 }
 
-echo "Starting schedule script at `date`" | log_message
+echo "Starting schedule script at $(date)" | log_message
+date > /health/container_start_time.log
 
 while true; do
-    exec /src/backup-wrapper.sh 2>&1 | log_message
+    /src/backup-wrapper.sh 2>&1 | log_message
     echo "Sleeping for $SLEEP_TIME" | log_message
 
     # Using a simple sleep loop to schedule backups instead of cron to avoid concurrency issues