diff --git a/.gitea/workflows/build-push.yaml b/.gitea/workflows/build-push.yaml new file mode 100644 index 0000000..657422b --- /dev/null +++ b/.gitea/workflows/build-push.yaml @@ -0,0 +1,39 @@ +name: Build and Push container image +run-name: ${{ gitea.actor }} is building and pushing + +on: + create: + tags: "*" + +env: + GITEA_DOMAIN: git.fjla.uk + GITEA_REGISTRY_USER: fred.boniface + RESULT_IMAGE_NAME: fred.boniface/restic + +jobs: + build-and-push-image: + runs-on: ubuntu-latest + container: + image: catthehacker/ubuntu:act-latest + options: --privileged + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to Gitea Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.GITEA_DOMAIN }} + username: ${{ env.GITEA_REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + - name: Build and Push image + uses: docker/build-push-action@v6 + with: + context: . + file: ./Dockerfile + push: true + tags: | + ${{ env.GITEA_DOMAIN }}/${{ env.RESULT_IMAGE_NAME }}:${{ gitea.ref_name }} + ${{ env.GITEA_DOMAIN }}/${{ env.RESULT_IMAGE_NAME }}:latest \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..18df150 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,8 @@ +FROM restic/restic:0.18.1 + +RUN apk add --no-cache openssh-client bash + +COPY scripts/restic.bash /usr/local/bin/backup-entrypoint.sh +RUN chmod +x /usr/local/bin/backup-entrypoint.sh + +ENTRYPOINT ["/usr/local/bin/backup-entrypoint.sh"] \ No newline at end of file diff --git a/scripts/restic.bash b/scripts/restic.bash index 370daf0..cb98db8 100644 --- a/scripts/restic.bash +++ b/scripts/restic.bash @@ -2,7 +2,7 @@ set -e # -- 1. Secure Environment Setup -- -# We use /tmp to ensure this works on Read-Only filesystems (PSA Restrictive) +export RESTIC_CACHE_DIR="${RESTIC_CACHE_DIR:-/tmp/restic-cache}" export SSH_DIR="/tmp/.ssh" mkdir -p "$SSH_DIR" @@ -10,27 +10,16 @@ mkdir -p "$SSH_DIR" cp "$SSH_KEY_PATH" "$SSH_DIR/key" chmod 0600 "$SSH_DIR/key" -# -- 2. Build the "Magic" Command -- -# This string is what Restic will execute instead of the local 'rclone' binary. -# It pipes Restic's requests directly to the remote server. -SSH_CMD="ssh -p ${SSH_PORT:-22} -i $SSH_DIR/key -o StrictHostKeyChecking=accept-new ${SSH_USER}@${SSH_HOST}" -# Why 'rclone:remote:/'? -# 'remote' is just a placeholder name. -# '/' works because the remote authorized_keys forces the directory path. +SSH_CMD="ssh -p ${SSH_PORT:-22} -i $SSH_DIR/key -o StrictHostKeyChecking=accept-new ${SSH_USER}@${SSH_HOST}" REPO="rclone:remote:/" run_restic() { - # -o rclone.program tells Restic to execute our SSH string - # instead of looking for an rclone binary. + # -o rclone.program tells Restic to execute over SSH restic -o rclone.program="$SSH_CMD" -r "$REPO" "$@" } -# -- 3. Lifecycle Execution -- - echo "--- 1. Initialization Check ---" -# We try to list snapshots. If it fails, we assume the repo needs init. -# We suppress stdout to keep logs clean, only showing errors. if ! run_restic snapshots > /dev/null 2>&1; then echo "Repository not found. Initializing..." run_restic init @@ -39,23 +28,28 @@ else fi echo "--- 2. Starting Backup ---" -run_restic backup "${SOURCE_DIR}" \ + +for pattern in $EXCLUDE_PATTERNS; do + EXCLUDES+=("--exclude=$pattern") +done + +run_restic backup ${SOURCE_DIR} \ + "${EXCLUDES[@]}" \ --tag "${BACKUP_TAG:-Default}" \ --verbose -# -- 4. Retention (Optional) -- +# -- 4. Retention (if set) -- if [ -n "$RETENTION_POLICY" ]; then echo "--- 3. Retention & Pruning ---" # shellcheck disable=SC2086 run_restic forget --group-by tag --tag "${BACKUP_TAG:-Default}" $RETENTION_POLICY --prune fi -# -- 5. Health Check (Optional) -- +# -- 5. Health Check (if set) -- if [ "$RUN_CHECK" = "true" ]; then echo "--- 4. Integrity Check ---" - # We use a default subset of 5% if not specified, to save bandwidth - CHECK_ARGS=${CHECK_ARGS:---read-data-subset=5%} - run_restic check $CHECK_ARGS + # default to 5% read test + run_restic check ${CHECK_ARGS:---read-data-subset=5%} fi # -- 6. Cache Cleanup --