Compare commits

..

1 commit

13 changed files with 293 additions and 197 deletions

1
.gitignore vendored
View file

@ -1,2 +1,3 @@
/backup
/sshkeys
.env

View file

@ -1,39 +0,0 @@
steps:
build:
image: woodpeckerci/plugin-docker-buildx
settings:
dry-run: true
repo: git.merp.digital/${CI_REPO_OWNER}/borgserver
platforms: linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8
registry: git.merp.digital
when:
- event: push
branch:
exclude: [develop, master]
publish-nightly:
image: woodpeckerci/plugin-docker-buildx
settings:
repo: git.merp.digital/${CI_REPO_OWNER}/borgserver
platforms: linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8
registry: git.merp.digital
tags: develop-${CI_COMMIT_SHA}
username: ${CI_REPO_OWNER}
password:
from_secret: cb_token
when:
- event: push
branch: develop
publish-release:
image: woodpeckerci/plugin-docker-buildx
settings:
repo: git.merp.digital/${CI_REPO_OWNER}/borgserver
platforms: linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8
registry: git.merp.digital
tags: ${CI_COMMIT_TAG}
username: ${CI_REPO_OWNER}
password:
from_secret: cb_token
when:
- event: tag

View file

@ -1,31 +0,0 @@
############################################################
# Dockerfile to build borgbackup server images
# Based on Debian
############################################################
FROM debian:12.4-slim
# Volume for SSH-Keys
VOLUME /sshkeys
# Volume for borg repositories
VOLUME /backup
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get -y --no-install-recommends install \
borgbackup openssh-server && apt-get clean && \
useradd -s /bin/bash -m -U borg && \
mkdir /home/borg/.ssh && \
chmod 700 /home/borg/.ssh && \
chown borg:borg /home/borg/.ssh && \
mkdir /run/sshd && \
rm -f /etc/ssh/ssh_host*key* && \
rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/*
COPY ./data/run.sh /run.sh
COPY ./data/sshd_config /etc/ssh/sshd_config
ENTRYPOINT /run.sh
# Default SSH-Port for clients
EXPOSE 22

View file

@ -29,7 +29,7 @@ docker run -td \
-p 2222:22 \
--volume ./borg/sshkeys:/sshkeys \
--volume ./borg/backup:/backup \
git.merp.digital/eranmorkon/borgserver:1.0.0
nold360/borgserver:latest
```
@ -45,7 +45,7 @@ See the the documentation for all available arguments: [borgbackup.readthedocs.i
##### Example
```
docker run --rm -e BORG_SERVE_ARGS="--progress --debug" (...) git.merp.digital/eranmorkon/borgserver
docker run --rm -e BORG_SERVE_ARGS="--progress --debug" (...) nold360/borgserver
```
#### BORG_APPEND_ONLY
@ -62,7 +62,7 @@ To declare a client as admin, set this variable to the name of the client/sshkey
##### Example
```
docker run --rm -e BORG_APPEND_ONLY="yes" -e BORG_ADMIN="nolds_notebook" (...) git.merp.digital/eranmorkon/borgserver
docker run --rm -e BORG_APPEND_ONLY="yes" -e BORG_ADMIN="nolds_notebook" (...) nold360/borgserver
```
To prune repos from another client, you have to add the path to the repository in the clients directory:
@ -112,7 +112,23 @@ In this directory will borg write all the client data to. It's best to start wit
## Example Setup
### docker-compose.yml
Here is a quick example, how to run borgserver using docker-compose: [docker-compose.yml](https://github.com/Nold360/docker-borgserver/blob/master/docker-compose.yml)
Here is a quick example, how to run borgserver using docker-compose:
```
services:
borgserver:
image: nold360/borgserver
volumes:
- /backup:/backup
- ./sshkeys:/sshkeys
ports:
- "2222:22"
environment:
BORG_SERVE_ARGS: ""
BORG_APPEND_ONLY: "no"
BORG_ADMIN: ""
PUID: 1000
PGID: 1000
```
### ~/.ssh/config for clients
With this configuration (on your borg client) you can easily connect to your borgserver.

2
build.sh Normal file
View file

@ -0,0 +1,2 @@
docker build -t borg:git server
docker build -t borg:init init

View file

@ -1,99 +0,0 @@
#!/bin/bash
# Start Script for docker-borgserver
PUID=${PUID:-1000}
PGID=${PGID:-1000}
usermod -o -u "$PUID" borg &>/dev/null
groupmod -o -g "$PGID" borg &>/dev/null
BORG_DATA_DIR=/backup
SSH_KEY_DIR=/sshkeys
BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}'
AUTHORIZED_KEYS_PATH=/home/borg/.ssh/authorized_keys
# Append only mode?
BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no}
source /etc/os-release
echo "########################################################"
echo -n " * Docker BorgServer powered by "
borg -V
echo " * Based on ${PRETTY_NAME}"
echo "########################################################"
echo " * User id: $(id -u borg)"
echo " * Group id: $(id -g borg)"
echo "########################################################"
# Precheck if BORG_ADMIN is set
if [ "${BORG_APPEND_ONLY}" == "yes" ] && [ -z "${BORG_ADMIN}" ] ; then
echo "WARNING: BORG_APPEND_ONLY is active, but no BORG_ADMIN was specified!"
fi
# Precheck directories & client ssh-keys
for dir in BORG_DATA_DIR SSH_KEY_DIR ; do
dirpath=$(eval echo '$'${dir})
echo " * Testing Volume ${dir}: ${dirpath}"
if [ ! -d "${dirpath}" ] ; then
echo "ERROR: ${dirpath} is no directory!"
exit 1
fi
if [ "$(find ${SSH_KEY_DIR}/clients ! -regex '.*/\..*' -a -type f | wc -l)" == "0" ] ; then
echo "ERROR: No SSH-Pubkey file found in ${SSH_KEY_DIR}"
exit 1
fi
done
# Create SSH-Host-Keys on persistent storage, if not exist
mkdir -p ${SSH_KEY_DIR}/host 2>/dev/null
echo " * Checking / Preparing SSH Host-Keys..."
for keytype in ed25519 rsa ; do
if [ ! -f "${SSH_KEY_DIR}/host/ssh_host_${keytype}_key" ] ; then
echo " ** Creating SSH Hostkey [${keytype}]..."
ssh-keygen -q -f "${SSH_KEY_DIR}/host/ssh_host_${keytype}_key" -N '' -t ${keytype}
fi
done
echo "########################################################"
echo " * Starting SSH-Key import..."
# Add every key to borg-users authorized_keys
rm ${AUTHORIZED_KEYS_PATH} &>/dev/null
for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); do
client_name=$(basename ${keyfile})
mkdir ${BORG_DATA_DIR}/${client_name} 2>/dev/null
echo " ** Adding client ${client_name} with repo path ${BORG_DATA_DIR}/${client_name}"
# If client is $BORG_ADMIN unset $client_name, so path restriction equals $BORG_DATA_DIR
# Otherwise add --append-only, if enabled
borg_cmd=${BORG_CMD}
if [ "${client_name}" == "${BORG_ADMIN}" ] ; then
echo " ** Client '${client_name}' is BORG_ADMIN! **"
unset client_name
elif [ "${BORG_APPEND_ONLY}" == "yes" ] ; then
borg_cmd="${BORG_CMD} --append-only"
fi
echo -n "restrict,command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${AUTHORIZED_KEYS_PATH}
cat ${keyfile} >> ${AUTHORIZED_KEYS_PATH}
echo >> ${AUTHORIZED_KEYS_PATH}
done
chmod 0600 "${AUTHORIZED_KEYS_PATH}"
echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..."
ERROR=$(ssh-keygen -lf ${AUTHORIZED_KEYS_PATH} 2>&1 >/dev/null)
if [ $? -ne 0 ]; then
echo "ERROR: ${ERROR}"
exit 1
fi
chown -R borg:borg ${BORG_DATA_DIR}
chown borg:borg ${AUTHORIZED_KEYS_PATH}
chmod 600 ${AUTHORIZED_KEYS_PATH}
echo "########################################################"
echo " * Init done! Starting SSH-Daemon..."
/usr/sbin/sshd -D -e

View file

@ -1,21 +1,46 @@
version: '3'
services:
borgserver:
image: git.merp.digital/eranmorkon/borgserver
#build: .
init:
image: borg:init
env_file: .env
volumes:
- ./backup:/backup
- ./sshkeys:/sshkeys
- borg-home:/home/borg/.ssh:rw
- host-keys:/sshkeys:rw
# FIXME: i want to get rid of that..
- backup:/backup:rw
restart: "no"
borgserver:
#image: nold360/borgserver
image: borg:git
user: 1000:1000
volumes:
# generated authorized_keys by init
- borg-home:/home/borg/.ssh:ro
# only contains host-keys now
- host-keys:/sshkeys:ro
# Backup repository for borg
- backup:/backup:rw
ports:
- "2222:22"
- "2222:2222"
environment:
# Additional Arguments, see https://borgbackup.readthedocs.io/en/stable/usage/serve.html
BORG_SERVE_ARGS: ""
# If set to "yes", only the BORG_ADMIN
# can delete/prune the other clients archives/repos
# can delete/prune the all clients archives/repos
BORG_APPEND_ONLY: "no"
# Filename of Admins SSH-Key; has full access to all repos
# Hostname of Admin's SSH-Key
BORG_ADMIN: ""
depends_on:
- init
restart: unless-stopped
# Shared volume to exchange authorized_keys between init & server
volumes:
borg-home:
host-keys:
backup:

2
env.example Normal file
View file

@ -0,0 +1,2 @@
KEY_GIT_URL=https://github.com/yourName/your-ssh-pub-keys.git
KEY_GIT_BRANCH=master

13
init/Dockerfile Normal file
View file

@ -0,0 +1,13 @@
# Borgserver Init-Container, simply replace entrypoiny and install git
#FROM nold360/borgserver:latest
FROM borg:git
USER root
RUN export DEBIAN_FRONTEND=noninteractive && \
apt-get update && \
apt-get -y --no-install-recommends install \
git ca-certificates && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/*
COPY ./entrypoint.sh /entrypoint.sh

107
init/entrypoint.sh Executable file
View file

@ -0,0 +1,107 @@
#!/bin/bash
# Init-Start Script for docker-borgserver
# Will pull ssh-keys from git specified via KEY_GIT_URL and KEY_GIT_BRANCH [default: master]
# and merge them into a single [openssh] authorized_keys file.
PUID=${PUID:-1000}
PGID=${PGID:-1000}
usermod -o -u "$PUID" borg &>/dev/null
groupmod -o -g "$PGID" borg &>/dev/null
# FIXME: Is this changeable? guess it should be.. should move it to some kind of
# build-env file
BORG_DATA_DIR=${BORG_DATA_DIR:-/backup}
BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}'
KEY_GIT_BRANCH=${KEY_GIT_BRANCH:-master}
# This is the path where the final authorized_keys will be written:
AUTHORIZED_KEYS_PATH=${AUTHORIZED_KEYS_PATH:-/home/borg/.ssh/authorized_keys}
# This will only contain host-keys now
SSH_KEY_DIR=${SSH_KEY_DIR:-/sshkeys}
# This is no volume anymore, only temporary during init
GIT_KEY_DIR=/tmp/gitkeys
echo "########################################################"
echo " * Docker BorgServer | Git Init-Container *"
echo " * $(id)"
if [ ! -z "${KEY_GIT_URL}" ] ; then
# FIXME: Should the container die here, in case of error?
# To workaround the limitations of docker-compose we could just loop here like.. forever
# INFO: simle git clone would be enouth, but you can also use a volume for SSH_KEY_DIR if you like
echo " * Cloning '${KEY_GIT_URL}' into '${GIT_KEY_DIR}/clients'"
if [ ! -d "${GIT_KEY_DIR}/clients/.git" ] ; then
git clone -b ${KEY_GIT_BRANCH} --depth=1 "${KEY_GIT_URL}" "${GIT_KEY_DIR}/clients"
else
git -C "${GIT_KEY_DIR}/clients" pull
fi
else
echo " ! FATAL ERROR: KEY_GIT_URL is not set! Can't continue."
exit 1
fi
if [ "$(find ${GIT_KEY_DIR}/clients ! -regex '.*/\..*' -a -type f | wc -l)" == "0" ] ; then
echo " ! FATAL ERROR: No SSH-Pubkey file found in ${GIT_KEY_DIR}. Can't continue."
exit 2
fi
# Create SSH-Host-Keys on persistent storage, if not exist
# This also means that `${SSH_KEY_DIR}` has to be a shared volume
echo " * Checking / Preparing SSH Host-Keys..."
for keytype in ed25519 rsa ; do
if [ ! -f "${SSH_KEY_DIR}/ssh_host_${keytype}_key" ] ; then
echo " ** Creating SSH Hostkey [${keytype}]..."
ssh-keygen -q -f "${SSH_KEY_DIR}/ssh_host_${keytype}_key" -N '' -t ${keytype}
fi
done
echo "########################################################"
echo " * Starting SSH-Key import..."
# Add every key to borg-users authorized_keys
# FIXME: mkdir of filestructure must still be done by server-container
# since we shouldn't have access to the backup-data volume in init
rm -f ${AUTHORIZED_KEYS_PATH} &>/dev/null
for keyfile in $(find "${GIT_KEY_DIR}" ! -regex '.*/\..*' -a -type f); do
client_name=$(basename ${keyfile})
# check if file is a valid openssh public key
if ! ssh-keygen -lf $keyfile &>/dev/null ; then
echo " ! WARNING: '$keyfile' is not a valid [open]ssh-public-key. Will continue anyway."
continue
fi
# If client is $BORG_ADMIN unset $client_name, so path restriction equals $BORG_DATA_DIR
# Otherwise add --append-only, if enabled
borg_cmd=${BORG_CMD}
if [ "${client_name}" == "${BORG_ADMIN}" ] ; then
echo " ** Client '${client_name}' is BORG_ADMIN! **"
unset client_name
elif [ "${BORG_APPEND_ONLY}" == "yes" ] ; then
borg_cmd="${BORG_CMD} --append-only"
fi
echo -n "command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${AUTHORIZED_KEYS_PATH}
cat ${keyfile} >> ${AUTHORIZED_KEYS_PATH}
done
# This will also fail if there wasn't a single valid pubkey found
echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..."
if ! ssh-keygen -lf ${AUTHORIZED_KEYS_PATH} >/dev/null ; then
echo " ! FATAL ERROR: ${AUTHORIZED_KEYS_PATH} is no valid authorized_keys file. Can't continue."
exit 3
fi
echo " * Correcting Permissions..."
chown borg:borg ${AUTHORIZED_KEYS_PATH}
chown -R borg:borg ${SSH_KEY_DIR}/*
chown borg:borg ${BORG_DATA_DIR}
chmod 600 ${AUTHORIZED_KEYS_PATH}
echo "########################################################"
echo " * Init done! Ready to fire up your borgserver!"
exit 0

36
server/Dockerfile Normal file
View file

@ -0,0 +1,36 @@
############################################################
# Dockerfile to build borgbackup server images
# Based on Debian
############################################################
FROM debian:buster-slim
# Volume for SSH-Host-Keys
VOLUME /sshkeys
# Volume for borg repositories
VOLUME /backup
# Volume for authorized_keys exchange from init
VOLUME /home/borg
RUN export DEBIAN_FRONTEND=noninteractive && \
apt-get update && \
apt-get -y --no-install-recommends install \
borgbackup openssh-server iputils-ping && \
apt-get clean && \
useradd -s /bin/bash -m -U borg && \
mkdir /home/borg/.ssh && \
chmod 700 /home/borg/.ssh && \
touch /home/borg/.ssh/authorized_keys && \
chown -R borg:borg /home/borg /backup && \
mkdir /run/sshd && \
rm -f /etc/ssh/ssh_host*key* && \
rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/*
COPY ./entrypoint.sh /entrypoint.sh
COPY ./sshd_config /etc/ssh/sshd_config
USER borg
EXPOSE 2222
ENTRYPOINT /entrypoint.sh

64
server/entrypoint.sh Executable file
View file

@ -0,0 +1,64 @@
#!/bin/bash
# Start Script for docker-borgserver
PUID=${PUID:-1000}
PGID=${PGID:-1000}
usermod -o -u "$PUID" borg &>/dev/null
groupmod -o -g "$PGID" borg &>/dev/null
BORG_DATA_DIR=${BORG_DATA_DIR:-/backup}
SSH_KEY_DIR=${SSH_KEY_DIR:-/sshkeys}
BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}'
AUTHORIZED_KEYS_PATH=/home/borg/.ssh/authorized_keys
# Append only mode?
BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no}
echo "########################################################"
echo " * Docker BorgServer powered by $(borg -V)"
echo "########################################################"
echo " * $(id)"
echo "########################################################"
echo -n "Waiting for init-container to finish..."
sleep 5
while ping -c2 init >/dev/null 2>/dev/null ; do
echo .
sleep 3
done
echo " done"
# Precheck if BORG_ADMIN is set
if [ "${BORG_APPEND_ONLY}" == "yes" ] && [ -z "${BORG_ADMIN}" ] ; then
echo "WARNING: BORG_APPEND_ONLY is active, but no BORG_ADMIN was specified!"
fi
# Precheck directories & client ssh-keys
for dir in BORG_DATA_DIR SSH_KEY_DIR ; do
dirpath=$(eval echo '$'${dir})
echo " * Testing Volume ${dir}: ${dirpath}"
if [ ! -d "${dirpath}" ] ; then
echo " ! ERROR: ${dirpath} is no directory!"
exit 1
fi
done
for keytype in ed25519 rsa ; do
if [ ! -f "${SSH_KEY_DIR}/ssh_host_${keytype}_key" ] ; then
echo " ! WARNING: SSH-Host-Key $keytype doesn't exist!"
continue
fi
done
echo "########################################################"
echo " * Checking authorized_keys file..."
# Check if authorzied_keys is valid
if ! ssh-keygen -lf ${AUTHORIZED_KEYS_PATH} >/dev/null; then
echo " ! ERROR: '${AUTHORIZED_KEYS_PATH}' is not a valid authorized_keys-file."
exit 1
fi
echo "########################################################"
echo " * Init done! Starting SSH-Daemon..."
/usr/sbin/sshd -D -e

View file

@ -1,17 +1,19 @@
Port 22
Port 2222
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
HostKey /sshkeys/host/ssh_host_rsa_key
HostKey /sshkeys/host/ssh_host_ed25519_key
HostKey /sshkeys/ssh_host_rsa_key
HostKey /sshkeys/ssh_host_ed25519_key
PidFile /tmp/sshd.pid
PermitRootLogin no
StrictModes yes
MaxSessions 20
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
AuthorizedKeysFile /home/borg/.ssh/authorized_keys
LogLevel INFO
@ -25,6 +27,3 @@ PermitTTY no
PrintMotd no
PermitTunnel no
Subsystem sftp /bin/false
ClientAliveInterval 10
ClientAliveCountMax 30