Compare commits

..

16 commits

Author SHA1 Message Date
Andreas Mieke 6035ca549e Merge branch 'release/1.0.0'
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
2024-01-13 03:20:38 +01:00
Andreas Mieke 397f800372 fix(platforms): Remove useless platforms
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
2024-01-13 03:17:42 +01:00
Andreas Mieke 49b78cf10f feat(platforms): Add ARM support
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
2024-01-13 03:14:36 +01:00
nold 45e8883cae fix(sshd_config): recommended keepalive values 2022-11-24 16:29:39 +01:00
nold ef02f845dc add(ci): woodpecker.yml 2022-11-24 16:15:37 +01:00
nold 57ed075e22 Update(drone): Image tag for bookwork v1.2 & v1.2.2 2022-09-20 09:06:17 +02:00
Nold 2c76a45aca
Update: bookworm image version 1.2.1 2022-07-20 11:01:57 +02:00
nold ea677a7da9 Add(drone): Build Bookworm 2022-05-11 18:54:55 +02:00
Gerrit Pannek 95ec06eb80 Fix(run.sh): Add new line in authorized_keys [Fixes #12] 2022-02-05 18:13:41 +01:00
Nold 0b641a8253
Upgrade: bullseye & borgbackup 1.1.16 (#13)
* Upgrade to bullseye-slim image
* Fix(run.sh): authorized_keys permissions
* Change(run.sh): Add restrict to client keys & output debian version
* Change(Dockerfile): Allow different base images
* Update(drone): Build buster & bullseye images
* Update README
2022-01-21 10:33:54 +01:00
nold 7b241c142b Update: README & docker-compose example 2022-01-21 10:02:01 +01:00
nold 7d29e33747 Fix: drone - use kaniko for building 2021-11-29 17:39:31 +01:00
nold 674b4d8757 Add: drone.yml 2021-08-13 12:56:36 +02:00
nold ac797c90f6 Minor output change to PR#5 - thanks abmaonline 2019-12-05 16:55:06 +01:00
Matthijs Abma 5d0d13c42a Add simple integrity check for authorized_keys file, in case you put something interesting in your BORG_SERVE_ARGS 2019-12-01 17:58:29 +01:00
Matthijs Abma 590d6712fb Create borg group and add option to set user id and group id explicitly for easier access to host resources 2019-12-01 17:56:05 +01:00
6 changed files with 96 additions and 50 deletions

39
.woodpecker.yml Normal file
View file

@ -0,0 +1,39 @@
steps:
build:
image: woodpeckerci/plugin-docker-buildx
settings:
dry-run: true
repo: git.merp.digital/${CI_REPO_OWNER}/borgserver
platforms: linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8
registry: git.merp.digital
when:
- event: push
branch:
exclude: [develop, master]
publish-nightly:
image: woodpeckerci/plugin-docker-buildx
settings:
repo: git.merp.digital/${CI_REPO_OWNER}/borgserver
platforms: linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8
registry: git.merp.digital
tags: develop-${CI_COMMIT_SHA}
username: ${CI_REPO_OWNER}
password:
from_secret: cb_token
when:
- event: push
branch: develop
publish-release:
image: woodpeckerci/plugin-docker-buildx
settings:
repo: git.merp.digital/${CI_REPO_OWNER}/borgserver
platforms: linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8
registry: git.merp.digital
tags: ${CI_COMMIT_TAG}
username: ${CI_REPO_OWNER}
password:
from_secret: cb_token
when:
- event: tag

View file

@ -2,7 +2,7 @@
# Dockerfile to build borgbackup server images # Dockerfile to build borgbackup server images
# Based on Debian # Based on Debian
############################################################ ############################################################
FROM debian:buster-slim FROM debian:12.4-slim
# Volume for SSH-Keys # Volume for SSH-Keys
VOLUME /sshkeys VOLUME /sshkeys
@ -13,11 +13,11 @@ VOLUME /backup
ENV DEBIAN_FRONTEND noninteractive ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get -y --no-install-recommends install \ RUN apt-get update && apt-get -y --no-install-recommends install \
borgbackup openssh-server git ca-certificates && apt-get clean && \ borgbackup openssh-server && apt-get clean && \
useradd -s /bin/bash -m borg && \ useradd -s /bin/bash -m -U borg && \
mkdir /home/borg/.ssh && \ mkdir /home/borg/.ssh && \
chmod 700 /home/borg/.ssh && \ chmod 700 /home/borg/.ssh && \
chown borg: /home/borg/.ssh && \ chown borg:borg /home/borg/.ssh && \
mkdir /run/sshd && \ mkdir /run/sshd && \
rm -f /etc/ssh/ssh_host*key* && \ rm -f /etc/ssh/ssh_host*key* && \
rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/* rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/*

View file

@ -29,7 +29,7 @@ docker run -td \
-p 2222:22 \ -p 2222:22 \
--volume ./borg/sshkeys:/sshkeys \ --volume ./borg/sshkeys:/sshkeys \
--volume ./borg/backup:/backup \ --volume ./borg/backup:/backup \
nold360/borgserver:latest git.merp.digital/eranmorkon/borgserver:1.0.0
``` ```
@ -45,7 +45,7 @@ See the the documentation for all available arguments: [borgbackup.readthedocs.i
##### Example ##### Example
``` ```
docker run --rm -e BORG_SERVE_ARGS="--progress --debug" (...) nold360/borgserver docker run --rm -e BORG_SERVE_ARGS="--progress --debug" (...) git.merp.digital/eranmorkon/borgserver
``` ```
#### BORG_APPEND_ONLY #### BORG_APPEND_ONLY
@ -62,7 +62,7 @@ To declare a client as admin, set this variable to the name of the client/sshkey
##### Example ##### Example
``` ```
docker run --rm -e BORG_APPEND_ONLY="yes" -e BORG_ADMIN="nolds_notebook" (...) nold360/borgserver docker run --rm -e BORG_APPEND_ONLY="yes" -e BORG_ADMIN="nolds_notebook" (...) git.merp.digital/eranmorkon/borgserver
``` ```
To prune repos from another client, you have to add the path to the repository in the clients directory: To prune repos from another client, you have to add the path to the repository in the clients directory:
@ -71,6 +71,14 @@ borg prune --keep-last 100 --keep-weekly 1 (...) borgserver:/clientA/clientA
``` ```
#### PUID
Used to set the user id of the `borg` user inside the container. This can be useful when the container has to access resources on the host with a specific user id.
#### PGID
Used to set the group id of the `borg` group inside the container. This can be useful when the container has to access resources on the host with a specific group id.
### Persistent Storages & Client Configuration ### Persistent Storages & Client Configuration
We will need two persistent storage directories for our borgserver to be usefull. We will need two persistent storage directories for our borgserver to be usefull.
@ -104,21 +112,7 @@ In this directory will borg write all the client data to. It's best to start wit
## Example Setup ## Example Setup
### docker-compose.yml ### docker-compose.yml
Here is a quick example, how to run borgserver using docker-compose: Here is a quick example, how to run borgserver using docker-compose: [docker-compose.yml](https://github.com/Nold360/docker-borgserver/blob/master/docker-compose.yml)
```
services:
borgserver:
image: nold360/borgserver
volumes:
- /backup:/backup
- ./sshkeys:/sshkeys
ports:
- "2222:22"
environment:
BORG_SERVE_ARGS: ""
BORG_APPEND_ONLY: "no"
BORG_ADMIN: ""
```
### ~/.ssh/config for clients ### ~/.ssh/config for clients
With this configuration (on your borg client) you can easily connect to your borgserver. With this configuration (on your borg client) you can easily connect to your borgserver.

View file

@ -1,33 +1,36 @@
#!/bin/bash #!/bin/bash
# Start Script for docker-borgserver # Start Script for docker-borgserver
#set -x
#BORG_SERVE_ARGS=${BORG_SERVE_ARGS:=""} PUID=${PUID:-1000}
BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no} PGID=${PGID:-1000}
BORG_DATA_DIR="${BORG_DATA_DIR:=/backup}"
SSH_KEY_DIR="${SSH_KEY_DIR:=/sshkeys}" usermod -o -u "$PUID" borg &>/dev/null
groupmod -o -g "$PGID" borg &>/dev/null
BORG_DATA_DIR=/backup
SSH_KEY_DIR=/sshkeys
BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}' BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}'
AUTHORIZED_KEYS_PATH=/home/borg/.ssh/authorized_keys
# Append only mode?
BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no}
source /etc/os-release
echo "########################################################" echo "########################################################"
echo -n " * Docker BorgServer powered by " echo -n " * Docker BorgServer powered by "
borg -V borg -V
echo " * Based on ${PRETTY_NAME}"
echo "########################################################" echo "########################################################"
echo " * User id: $(id -u borg)"
echo " * Group id: $(id -g borg)"
echo "########################################################"
# Precheck if BORG_ADMIN is set # Precheck if BORG_ADMIN is set
if [ "${BORG_APPEND_ONLY}" == "yes" ] && [ -z "${BORG_ADMIN}" ] ; then if [ "${BORG_APPEND_ONLY}" == "yes" ] && [ -z "${BORG_ADMIN}" ] ; then
echo "WARNING: BORG_APPEND_ONLY is active, but no BORG_ADMIN was specified!" echo "WARNING: BORG_APPEND_ONLY is active, but no BORG_ADMIN was specified!"
fi fi
if [ ! -z "${SSH_KEY_GIT}" ] ; then
echo "SSH_KEY_GIT set, cloning '${SSH_KEY_GIT}' into '${SSH_KEY_DIR}/clients'"
if [ ! -d "${SSH_KEY_DIR}/clients/.git" ] ; then
# FIXME: Should the container die here, in case of error?
git clone "${SSH_KEY_GIT}" "${SSH_KEY_DIR}/clients"
else
git -C "${SSH_KEY_DIR}/clients" pull
fi
fi
# Precheck directories & client ssh-keys # Precheck directories & client ssh-keys
for dir in BORG_DATA_DIR SSH_KEY_DIR ; do for dir in BORG_DATA_DIR SSH_KEY_DIR ; do
dirpath=$(eval echo '$'${dir}) dirpath=$(eval echo '$'${dir})
@ -57,7 +60,7 @@ echo "########################################################"
echo " * Starting SSH-Key import..." echo " * Starting SSH-Key import..."
# Add every key to borg-users authorized_keys # Add every key to borg-users authorized_keys
rm /home/borg/.ssh/authorized_keys &>/dev/null rm ${AUTHORIZED_KEYS_PATH} &>/dev/null
for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); do for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); do
client_name=$(basename ${keyfile}) client_name=$(basename ${keyfile})
mkdir ${BORG_DATA_DIR}/${client_name} 2>/dev/null mkdir ${BORG_DATA_DIR}/${client_name} 2>/dev/null
@ -73,13 +76,22 @@ for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); d
borg_cmd="${BORG_CMD} --append-only" borg_cmd="${BORG_CMD} --append-only"
fi fi
echo -n "command=\"$(eval echo -n \"${borg_cmd}\")\" " >> /home/borg/.ssh/authorized_keys echo -n "restrict,command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${AUTHORIZED_KEYS_PATH}
cat ${keyfile} >> /home/borg/.ssh/authorized_keys cat ${keyfile} >> ${AUTHORIZED_KEYS_PATH}
echo >> ${AUTHORIZED_KEYS_PATH}
done done
chmod 0600 "${AUTHORIZED_KEYS_PATH}"
chown -R borg: /backup echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..."
chown borg: /home/borg/.ssh/authorized_keys ERROR=$(ssh-keygen -lf ${AUTHORIZED_KEYS_PATH} 2>&1 >/dev/null)
chmod 600 /home/borg/.ssh/authorized_keys if [ $? -ne 0 ]; then
echo "ERROR: ${ERROR}"
exit 1
fi
chown -R borg:borg ${BORG_DATA_DIR}
chown borg:borg ${AUTHORIZED_KEYS_PATH}
chmod 600 ${AUTHORIZED_KEYS_PATH}
echo "########################################################" echo "########################################################"
echo " * Init done! Starting SSH-Daemon..." echo " * Init done! Starting SSH-Daemon..."

View file

@ -25,3 +25,6 @@ PermitTTY no
PrintMotd no PrintMotd no
PermitTunnel no PermitTunnel no
Subsystem sftp /bin/false Subsystem sftp /bin/false
ClientAliveInterval 10
ClientAliveCountMax 30

View file

@ -1,23 +1,21 @@
version: '3' version: '3'
services: services:
borgserver: borgserver:
#image: nold360/borgserver image: git.merp.digital/eranmorkon/borgserver
build: . #build: .
volumes: volumes:
- ./backup:/backup - ./backup:/backup
- ./sshkeys:/sshkeys - ./sshkeys:/sshkeys
ports: ports:
- "2222:22" - "2222:22"
environment: environment:
# Additional Arguments, see https://borgbackup.readthedocs.io/en/stable/usage/serve.html
BORG_SERVE_ARGS: "" BORG_SERVE_ARGS: ""
# If set to "yes", only the BORG_ADMIN # If set to "yes", only the BORG_ADMIN
# can delete/prune the all clients archives/repos # can delete/prune the other clients archives/repos
BORG_APPEND_ONLY: "no" BORG_APPEND_ONLY: "no"
# Hostname of Admin's SSH-Key # Filename of Admins SSH-Key; has full access to all repos
BORG_ADMIN: "" BORG_ADMIN: ""
# Client Pubkeys in git:
SSH_KEY_GIT: "https://github.com/<username>/<repo>.git"
restart: unless-stopped restart: unless-stopped