Merge branch 'release/1.0.0'

* Upgrade to bullseye-slim image
* Fix(run.sh): authorized_keys permissions
* Change(run.sh): Add restrict to client keys & output debian version
* Change(Dockerfile): Allow different base images
* Update(drone): Build buster & bullseye images
* Update README

.gitignore

@@ -1,3 +1,2 @@
 /backup
 /sshkeys
-.env

.woodpecker.yml

@@ -0,0 +1,39 @@
+steps:
+  build:
+    image: woodpeckerci/plugin-docker-buildx
+    settings:
+      dry-run: true
+      repo: git.merp.digital/${CI_REPO_OWNER}/borgserver
+      platforms: linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8
+      registry: git.merp.digital
+    when:
+      - event: push
+        branch: 
+          exclude: [develop, master]
+
+  publish-nightly:
+    image: woodpeckerci/plugin-docker-buildx
+    settings:
+      repo: git.merp.digital/${CI_REPO_OWNER}/borgserver
+      platforms: linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8
+      registry: git.merp.digital
+      tags: develop-${CI_COMMIT_SHA}
+      username: ${CI_REPO_OWNER}
+      password:
+        from_secret: cb_token
+    when:
+      - event: push
+        branch: develop
+
+  publish-release:
+    image: woodpeckerci/plugin-docker-buildx
+    settings:
+      repo: git.merp.digital/${CI_REPO_OWNER}/borgserver
+      platforms: linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8
+      registry: git.merp.digital
+      tags: ${CI_COMMIT_TAG}
+      username: ${CI_REPO_OWNER}
+      password:
+        from_secret: cb_token
+    when:
+      - event: tag

Dockerfile

@@ -2,7 +2,7 @@
 # Dockerfile to build borgbackup server images
 # Based on Debian
 ############################################################
-FROM debian:buster-slim
+FROM debian:12.4-slim
 
 # Volume for SSH-Keys
 VOLUME /sshkeys
@@ -24,9 +24,6 @@ RUN apt-get update && apt-get -y --no-install-recommends install \
 
 COPY ./data/run.sh /run.sh
 COPY ./data/sshd_config /etc/ssh/sshd_config
-COPY ./data/update-ssh-keys.sh /usr/local/bin/
-COPY ./data/create-client-dirs.sh /usr/local/bin/
-COPY ./data/env.sh /usr/local/bin/env.sh
 
 ENTRYPOINT /run.sh
 

Dockerfile.pullgit

@@ -1,9 +0,0 @@
-############################################################
-# Dockerfile to build borgbackup server images with git-pull support!
-# Based on Debian
-############################################################
-FROM borgserver:latest
-
-RUN apt-get update && apt-get -y --no-install-recommends install \
-		git ca-certificates && apt-get clean && \
-		rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/*

README.md

@@ -29,7 +29,7 @@ docker run -td \
 	-p 2222:22  \
 	--volume ./borg/sshkeys:/sshkeys \
 	--volume ./borg/backup:/backup \
-	nold360/borgserver:latest
+	git.merp.digital/eranmorkon/borgserver:1.0.0
 ```
 
 
@@ -45,7 +45,7 @@ See the the documentation for all available arguments: [borgbackup.readthedocs.i
 
 ##### Example
 ```
-docker run --rm -e BORG_SERVE_ARGS="--progress --debug" (...) nold360/borgserver
+docker run --rm -e BORG_SERVE_ARGS="--progress --debug" (...) git.merp.digital/eranmorkon/borgserver
 ```
 
 #### BORG_APPEND_ONLY
@@ -62,7 +62,7 @@ To declare a client as admin, set this variable to the name of the client/sshkey
 
 ##### Example
 ```
-docker run --rm -e BORG_APPEND_ONLY="yes" -e BORG_ADMIN="nolds_notebook" (...) nold360/borgserver
+docker run --rm -e BORG_APPEND_ONLY="yes" -e BORG_ADMIN="nolds_notebook" (...) git.merp.digital/eranmorkon/borgserver
 ```
 
 To prune repos from another client, you have to add the path to the repository in the clients directory:
@@ -112,23 +112,7 @@ In this directory will borg write all the client data to. It's best to start wit
 
 ## Example Setup
 ### docker-compose.yml
-Here is a quick example, how to run borgserver using docker-compose:
+Here is a quick example, how to run borgserver using docker-compose: [docker-compose.yml](https://github.com/Nold360/docker-borgserver/blob/master/docker-compose.yml)
-```
-services:
- borgserver:
-  image: nold360/borgserver
-  volumes:
-   - /backup:/backup
-   - ./sshkeys:/sshkeys
-  ports:
-   - "2222:22"
-  environment:
-   BORG_SERVE_ARGS: ""
-   BORG_APPEND_ONLY: "no"
-   BORG_ADMIN: ""
-   PUID: 1000
-   PGID: 1000
-```
 
 ### ~/.ssh/config for clients
 With this configuration (on your borg client) you can easily connect to your borgserver.

data/create-client-dirs.sh

@@ -1,55 +0,0 @@
-#!/bin/bash
-# This script generates the authorized_keys file from SSH_KEY_DIR
-# authorized_keys will only get overridden after syntax check
-set -e
-source env.sh
-
-TMPFILE=$(mktemp)
-
-echo "######################################################"
-echo "* Regenerate borgserver authorized_keys *"
-echo "######################################################"
-
-# Add every key to borg-users authorized_keys
-for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); do
-  client_name=$(basename ${keyfile})
-
-	# Only import valid keyfiles, skip other files
-  if ! ssh-keygen -lf $keyfile >/dev/null ; then
-		echo " Warning: Skipping invalid ssh-key file '$keyfile'"
-		continue
-	fi
-
-  if [ ! -d "${BORG_DATA_DIR}/${client_name}" ]; then
-    echo "  ** Adding client ${client_name} with repo path ${BORG_DATA_DIR}/${client_name}"
-    mkdir "${BORG_DATA_DIR}/${client_name}"
-  else
-    echo "Directory ${BORG_DATA_DIR}/${client_name} exists: Nothing to do"
-  fi
-
-  # If client is $BORG_ADMIN unset $client_name, so path restriction equals $BORG_DATA_DIR
-  # Otherwise add --append-only, if enabled
-  borg_cmd=${BORG_CMD}
-  if [ "${client_name}" == "${BORG_ADMIN}" ] ; then
-    echo "   ** Client '${client_name}' is BORG_ADMIN! **"
-    unset client_name
-  elif [ "${BORG_APPEND_ONLY}" == "yes" ] ; then
-    borg_cmd="${BORG_CMD} --append-only"
-  fi
-
-  echo -n "command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${TMPFILE}
-  cat ${keyfile} >> ${TMPFILE}
-done
-
-# Due to `set -e` the script will end here on failure anyways
-echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..."
-ssh-keygen -lf ${TMPFILE} >/dev/null
-
-mv ${TMPFILE} ${AUTHORIZED_KEYS_PATH}
-echo " ** Success"
-
-chown -R borg:borg ${BORG_DATA_DIR}
-chown borg:borg ${AUTHORIZED_KEYS_PATH}
-chmod 600 ${AUTHORIZED_KEYS_PATH}
-
-exit 0

data/env.sh

@@ -1,23 +0,0 @@
-# Default values for environment
-PATH=$PATH:/usr/local/bin
-PUID=${PUID:-1000}
-PGID=${PGID:-1000}
-
-# Append only mode?
-BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no}
-
-# Volume for backup repositories
-BORG_DATA_DIR=${BORG_DATA_DIR:-/backup}
-
-# Branch of KEY_GIT_URL
-KEY_GIT_BRANCH=${KEY_GIT_BRANCH:-master}
-
-# This will contain the host and client keys
-SSH_KEY_DIR=${SSH_KEY_DIR:-/sshkeys}
-
-### CAUTION
-# This is more of a template then something you need to change, it should stay static
-BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}'
-
-# Path to authorized_keys file
-AUTHORIZED_KEYS_PATH=${AUTHORIZED_KEYS_PATH:-/home/borg/.ssh/authorized_keys}

data/run.sh

@@ -1,30 +1,36 @@
 #!/bin/bash
 # Start Script for docker-borgserver
-set -e
+
-source env.sh
+PUID=${PUID:-1000}
+PGID=${PGID:-1000}
 
 usermod -o -u "$PUID" borg &>/dev/null
 groupmod -o -g "$PGID" borg &>/dev/null
 
+BORG_DATA_DIR=/backup
+SSH_KEY_DIR=/sshkeys
+BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}'
+AUTHORIZED_KEYS_PATH=/home/borg/.ssh/authorized_keys
+
+# Append only mode?
+BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no}
+
+source /etc/os-release
 echo "########################################################"
 echo -n " * Docker BorgServer powered by "
 borg -V
+echo " * Based on ${PRETTY_NAME}"
 echo "########################################################"
 echo " * User  id: $(id -u borg)"
 echo " * Group id: $(id -g borg)"
-if [ -z "${KEY_GIT_URL}" ] ; then
-  echo "* Pulling keys from ${KEY_GIT_URL}"
-fi
 echo "########################################################"
 
+
 # Precheck if BORG_ADMIN is set
 if [ "${BORG_APPEND_ONLY}" == "yes" ] && [ -z "${BORG_ADMIN}" ] ; then
 	echo "WARNING: BORG_APPEND_ONLY is active, but no BORG_ADMIN was specified!"
 fi
 
-# Init the ssh keys directory from a remote git repository
-update-ssh-keys.sh
-
 # Precheck directories & client ssh-keys
 for dir in BORG_DATA_DIR SSH_KEY_DIR ; do
 	dirpath=$(eval echo '$'${dir})
@@ -50,8 +56,42 @@ for keytype in ed25519 rsa ; do
 	fi
 done
 
+echo "########################################################"
+echo " * Starting SSH-Key import..."
+
 # Add every key to borg-users authorized_keys
-create-client-dirs.sh
+rm ${AUTHORIZED_KEYS_PATH} &>/dev/null
+for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); do
+    client_name=$(basename ${keyfile})
+    mkdir ${BORG_DATA_DIR}/${client_name} 2>/dev/null
+    echo "  ** Adding client ${client_name} with repo path ${BORG_DATA_DIR}/${client_name}"
+
+	# If client is $BORG_ADMIN unset $client_name, so path restriction equals $BORG_DATA_DIR
+	# Otherwise add --append-only, if enabled
+	borg_cmd=${BORG_CMD}
+	if [ "${client_name}" == "${BORG_ADMIN}" ] ; then
+		echo "   ** Client '${client_name}' is BORG_ADMIN! **"
+		unset client_name
+	elif [ "${BORG_APPEND_ONLY}" == "yes" ] ; then
+		borg_cmd="${BORG_CMD} --append-only"
+	fi
+
+  echo -n "restrict,command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${AUTHORIZED_KEYS_PATH}
+  cat ${keyfile} >> ${AUTHORIZED_KEYS_PATH}
+  echo >> ${AUTHORIZED_KEYS_PATH}
+done
+chmod 0600 "${AUTHORIZED_KEYS_PATH}"
+
+echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..."
+ERROR=$(ssh-keygen -lf ${AUTHORIZED_KEYS_PATH} 2>&1 >/dev/null)
+if [ $? -ne 0 ]; then
+    echo "ERROR: ${ERROR}"
+    exit 1
+fi
+
+chown -R borg:borg ${BORG_DATA_DIR}
+chown borg:borg ${AUTHORIZED_KEYS_PATH}
+chmod 600 ${AUTHORIZED_KEYS_PATH}
 
 echo "########################################################"
 echo " * Init done! Starting SSH-Daemon..."

data/sshd_config

@@ -25,3 +25,6 @@ PermitTTY no
 PrintMotd no
 PermitTunnel no
 Subsystem	sftp	/bin/false
+
+ClientAliveInterval 10
+ClientAliveCountMax 30

data/update-ssh-keys.sh

@@ -1,20 +0,0 @@
-#!/bin/bash
-# This script updates the authorized_keys file
-# Will clone/pull ssh-pubkeys from GIT_KEY_URL if set
-set -e
-source env.sh
-
-if [ -d "${SSH_KEY_DIR}/clients/.git" ] ; then
-  git -C "${SSH_KEY_DIR}/clients" fetch
-  if ! git -C "${SSH_KEY_DIR}/clients" diff --quiet remotes/origin/HEAD; then
-    echo "Pull from git repository"
-    git -C "${SSH_KEY_DIR}/clients" pull
-    create-client-dirs.sh
-  else
-    echo "$0: Nothing to do"
-  fi
-elif [ ! -z "${KEY_GIT_URL}" ] ; then
-	git clone --depth=1 -b ${KEY_GIT_BRANCH} ${KEY_GIT_URL} ${SSH_KEY_DIR}/clients
-fi
-
-exit 0

docker-compose.yml

@@ -1,23 +1,21 @@
 version: '3'
 services:
  borgserver:
-  #image: nold360/borgserver
+  image: git.merp.digital/eranmorkon/borgserver
-  build:
+  #build: .
-    context: .
-    dockerfile: Dockerfile.pullgit
   volumes:
    - ./backup:/backup
    - ./sshkeys:/sshkeys
   ports:
    - "2222:22"
-  env_file: .env
   environment:
+  # Additional Arguments, see https://borgbackup.readthedocs.io/en/stable/usage/serve.html
    BORG_SERVE_ARGS: ""
 
    # If set to "yes", only the BORG_ADMIN
-   # can delete/prune the all clients archives/repos
+   # can delete/prune the other clients archives/repos
    BORG_APPEND_ONLY: "no"
 
-   # Hostname of Admin's SSH-Key
+   # Filename of Admins SSH-Key; has full access to all repos
    BORG_ADMIN: ""
   restart: unless-stopped