From 0b641a82539a473ae861dbc21981f717425749cc Mon Sep 17 00:00:00 2001
From: Nold <Nold360@users.noreply.github.com>
Date: Fri, 21 Jan 2022 10:33:54 +0100
Subject: [PATCH] Upgrade: bullseye & borgbackup 1.1.16 (#13)

* Upgrade to bullseye-slim image
* Fix(run.sh): authorized_keys permissions
* Change(run.sh): Add restrict to client keys & output debian version
* Change(Dockerfile): Allow different base images
* Update(drone): Build buster & bullseye images
* Update README
---
 .drone.yml  | 20 +++++++++++++++++++-
 Dockerfile  |  3 ++-
 README.md   |  6 ++++++
 data/run.sh |  5 ++++-
 4 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index e79c02f..f204aa3 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -4,7 +4,7 @@ name: build
 type: kubernetes
 
 steps:
-- name: build-image
+- name: build-bullseye
   image: plugins/kaniko
   settings:
     username:
@@ -13,6 +13,24 @@ steps:
       from_secret: docker_password
     repo: nold360/borgserver
     dockerfile: Dockerfile
+    build_args:
+      - BASE_IMAGE=debian:bullseye-slim
     tags:
       - latest
+      - bullseye
+      - 1.1.16
+
+- name: build-buster
+  image: plugins/kaniko
+  settings:
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+    repo: nold360/borgserver
+    dockerfile: Dockerfile
+    build_args:
+      - BASE_IMAGE=debian:buster-slim
+    tags:
       - buster
+      - 1.1.9
diff --git a/Dockerfile b/Dockerfile
index a682457..a7cd5d1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,8 @@
 # Dockerfile to build borgbackup server images
 # Based on Debian
 ############################################################
-FROM debian:buster-slim
+ARG BASE_IMAGE=debian:bullseye-slim
+FROM $BASE_IMAGE
 
 # Volume for SSH-Keys
 VOLUME /sshkeys
diff --git a/README.md b/README.md
index a0d7eec..e381cdc 100644
--- a/README.md
+++ b/README.md
@@ -132,3 +132,9 @@ And create your first backup!
 ```
  $ borg create backup:my_first_borg_repo::documents-2017-11-01 /home/user/MyImportentDocs
 ```
+
+## Tags
+
+All images are freshly built every week & published as `nold360/borgserver` with the following tags:
+ - Latest / Stable [borg 1.1.16]: `bullseye`, `1.1.16`, `latest`
+ - Legacy / Buster [borg 1.1.9 ]: `buster`, `1.1.9`
diff --git a/data/run.sh b/data/run.sh
index e794704..63ec0eb 100755
--- a/data/run.sh
+++ b/data/run.sh
@@ -15,9 +15,11 @@ AUTHORIZED_KEYS_PATH=/home/borg/.ssh/authorized_keys
 # Append only mode?
 BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no}
 
+source /etc/os-release
 echo "########################################################"
 echo -n " * Docker BorgServer powered by "
 borg -V
+echo " * Based on ${PRETTY_NAME}"
 echo "########################################################"
 echo " * User  id: $(id -u borg)"
 echo " * Group id: $(id -g borg)"
@@ -74,9 +76,10 @@ for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); d
 		borg_cmd="${BORG_CMD} --append-only"
 	fi
 
-    echo -n "command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${AUTHORIZED_KEYS_PATH}
+    echo -n "restrict,command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${AUTHORIZED_KEYS_PATH}
 	cat ${keyfile} >> ${AUTHORIZED_KEYS_PATH}
 done
+chmod 0600 "${AUTHORIZED_KEYS_PATH}"
 
 echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..."
 ERROR=$(ssh-keygen -lf ${AUTHORIZED_KEYS_PATH} 2>&1 >/dev/null)