diff --git a/.gitignore b/.gitignore index ae9c630..60ba08a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /backup /sshkeys +.env diff --git a/Dockerfile b/Dockerfile index a682457..af7b621 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,6 +24,9 @@ RUN apt-get update && apt-get -y --no-install-recommends install \ COPY ./data/run.sh /run.sh COPY ./data/sshd_config /etc/ssh/sshd_config +COPY ./data/update-ssh-keys.sh /usr/local/bin/ +COPY ./data/create-client-dirs.sh /usr/local/bin/ +COPY ./data/env.sh /usr/local/bin/env.sh ENTRYPOINT /run.sh diff --git a/Dockerfile.pullgit b/Dockerfile.pullgit new file mode 100644 index 0000000..ab642cf --- /dev/null +++ b/Dockerfile.pullgit @@ -0,0 +1,9 @@ +############################################################ +# Dockerfile to build borgbackup server images with git-pull support! +# Based on Debian +############################################################ +FROM borgserver:latest + +RUN apt-get update && apt-get -y --no-install-recommends install \ + git ca-certificates && apt-get clean && \ + rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/* diff --git a/data/create-client-dirs.sh b/data/create-client-dirs.sh new file mode 100755 index 0000000..e3bc7dd --- /dev/null +++ b/data/create-client-dirs.sh @@ -0,0 +1,55 @@ +#!/bin/bash +# This script generates the authorized_keys file from SSH_KEY_DIR +# authorized_keys will only get overridden after syntax check +set -e +source env.sh + +TMPFILE=$(mktemp) + +echo "######################################################" +echo "* Regenerate borgserver authorized_keys *" +echo "######################################################" + +# Add every key to borg-users authorized_keys +for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); do + client_name=$(basename ${keyfile}) + + # Only import valid keyfiles, skip other files + if ! ssh-keygen -lf $keyfile >/dev/null ; then + echo " Warning: Skipping invalid ssh-key file '$keyfile'" + continue + fi + + if [ ! -d "${BORG_DATA_DIR}/${client_name}" ]; then + echo " ** Adding client ${client_name} with repo path ${BORG_DATA_DIR}/${client_name}" + mkdir "${BORG_DATA_DIR}/${client_name}" + else + echo "Directory ${BORG_DATA_DIR}/${client_name} exists: Nothing to do" + fi + + # If client is $BORG_ADMIN unset $client_name, so path restriction equals $BORG_DATA_DIR + # Otherwise add --append-only, if enabled + borg_cmd=${BORG_CMD} + if [ "${client_name}" == "${BORG_ADMIN}" ] ; then + echo " ** Client '${client_name}' is BORG_ADMIN! **" + unset client_name + elif [ "${BORG_APPEND_ONLY}" == "yes" ] ; then + borg_cmd="${BORG_CMD} --append-only" + fi + + echo -n "command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${TMPFILE} + cat ${keyfile} >> ${TMPFILE} +done + +# Due to `set -e` the script will end here on failure anyways +echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..." +ssh-keygen -lf ${TMPFILE} >/dev/null + +mv ${TMPFILE} ${AUTHORIZED_KEYS_PATH} +echo " ** Success" + +chown -R borg:borg ${BORG_DATA_DIR} +chown borg:borg ${AUTHORIZED_KEYS_PATH} +chmod 600 ${AUTHORIZED_KEYS_PATH} + +exit 0 diff --git a/data/env.sh b/data/env.sh new file mode 100755 index 0000000..0f32096 --- /dev/null +++ b/data/env.sh @@ -0,0 +1,23 @@ +# Default values for environment +PATH=$PATH:/usr/local/bin +PUID=${PUID:-1000} +PGID=${PGID:-1000} + +# Append only mode? +BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no} + +# Volume for backup repositories +BORG_DATA_DIR=${BORG_DATA_DIR:-/backup} + +# Branch of KEY_GIT_URL +KEY_GIT_BRANCH=${KEY_GIT_BRANCH:-master} + +# This will contain the host and client keys +SSH_KEY_DIR=${SSH_KEY_DIR:-/sshkeys} + +### CAUTION +# This is more of a template then something you need to change, it should stay static +BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}' + +# Path to authorized_keys file +AUTHORIZED_KEYS_PATH=${AUTHORIZED_KEYS_PATH:-/home/borg/.ssh/authorized_keys} diff --git a/data/run.sh b/data/run.sh index e794704..f57d8ec 100755 --- a/data/run.sh +++ b/data/run.sh @@ -1,34 +1,30 @@ #!/bin/bash # Start Script for docker-borgserver - -PUID=${PUID:-1000} -PGID=${PGID:-1000} +set -e +source env.sh usermod -o -u "$PUID" borg &>/dev/null groupmod -o -g "$PGID" borg &>/dev/null -BORG_DATA_DIR=/backup -SSH_KEY_DIR=/sshkeys -BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}' -AUTHORIZED_KEYS_PATH=/home/borg/.ssh/authorized_keys - -# Append only mode? -BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no} - echo "########################################################" echo -n " * Docker BorgServer powered by " borg -V echo "########################################################" echo " * User id: $(id -u borg)" echo " * Group id: $(id -g borg)" +if [ -z "${KEY_GIT_URL}" ] ; then + echo "* Pulling keys from ${KEY_GIT_URL}" +fi echo "########################################################" - # Precheck if BORG_ADMIN is set if [ "${BORG_APPEND_ONLY}" == "yes" ] && [ -z "${BORG_ADMIN}" ] ; then echo "WARNING: BORG_APPEND_ONLY is active, but no BORG_ADMIN was specified!" fi +# Init the ssh keys directory from a remote git repository +update-ssh-keys.sh + # Precheck directories & client ssh-keys for dir in BORG_DATA_DIR SSH_KEY_DIR ; do dirpath=$(eval echo '$'${dir}) @@ -54,40 +50,8 @@ for keytype in ed25519 rsa ; do fi done -echo "########################################################" -echo " * Starting SSH-Key import..." - # Add every key to borg-users authorized_keys -rm ${AUTHORIZED_KEYS_PATH} &>/dev/null -for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); do - client_name=$(basename ${keyfile}) - mkdir ${BORG_DATA_DIR}/${client_name} 2>/dev/null - echo " ** Adding client ${client_name} with repo path ${BORG_DATA_DIR}/${client_name}" - - # If client is $BORG_ADMIN unset $client_name, so path restriction equals $BORG_DATA_DIR - # Otherwise add --append-only, if enabled - borg_cmd=${BORG_CMD} - if [ "${client_name}" == "${BORG_ADMIN}" ] ; then - echo " ** Client '${client_name}' is BORG_ADMIN! **" - unset client_name - elif [ "${BORG_APPEND_ONLY}" == "yes" ] ; then - borg_cmd="${BORG_CMD} --append-only" - fi - - echo -n "command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${AUTHORIZED_KEYS_PATH} - cat ${keyfile} >> ${AUTHORIZED_KEYS_PATH} -done - -echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..." -ERROR=$(ssh-keygen -lf ${AUTHORIZED_KEYS_PATH} 2>&1 >/dev/null) -if [ $? -ne 0 ]; then - echo "ERROR: ${ERROR}" - exit 1 -fi - -chown -R borg:borg ${BORG_DATA_DIR} -chown borg:borg ${AUTHORIZED_KEYS_PATH} -chmod 600 ${AUTHORIZED_KEYS_PATH} +create-client-dirs.sh echo "########################################################" echo " * Init done! Starting SSH-Daemon..." diff --git a/data/update-ssh-keys.sh b/data/update-ssh-keys.sh new file mode 100755 index 0000000..bb5f4b0 --- /dev/null +++ b/data/update-ssh-keys.sh @@ -0,0 +1,20 @@ +#!/bin/bash +# This script updates the authorized_keys file +# Will clone/pull ssh-pubkeys from GIT_KEY_URL if set +set -e +source env.sh + +if [ -d "${SSH_KEY_DIR}/clients/.git" ] ; then + git -C "${SSH_KEY_DIR}/clients" fetch + if ! git -C "${SSH_KEY_DIR}/clients" diff --quiet remotes/origin/HEAD; then + echo "Pull from git repository" + git -C "${SSH_KEY_DIR}/clients" pull + create-client-dirs.sh + else + echo "$0: Nothing to do" + fi +elif [ ! -z "${KEY_GIT_URL}" ] ; then + git clone --depth=1 -b ${KEY_GIT_BRANCH} ${KEY_GIT_URL} ${SSH_KEY_DIR}/clients +fi + +exit 0 diff --git a/docker-compose.yml b/docker-compose.yml index aabaf84..5c3e12c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,13 +1,16 @@ version: '3' services: borgserver: - image: nold360/borgserver - #build: . + #image: nold360/borgserver + build: + context: . + dockerfile: Dockerfile.pullgit volumes: - ./backup:/backup - ./sshkeys:/sshkeys ports: - "2222:22" + env_file: .env environment: BORG_SERVE_ARGS: ""