add Dockerfile

.gitea/workflows/build-push.yaml

@@ -0,0 +1,39 @@
+name: Build and Push container image
+run-name: ${{ gitea.actor }} is building and pushing
+
+on:
+  create:
+    tags: "*"
+
+env:
+  GITEA_DOMAIN: git.fjla.uk
+  GITEA_REGISTRY_USER: fred.boniface
+  RESULT_IMAGE_NAME: fred.boniface/restic
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+      options: --privileged
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Gitea Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.GITEA_DOMAIN }}
+          username: ${{ env.GITEA_REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+      - name: Build and Push image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          tags: |
+            ${{ env.GITEA_DOMAIN }}/${{ env.RESULT_IMAGE_NAME }}:${{ gitea.ref_name }}
+            ${{ env.GITEA_DOMAIN }}/${{ env.RESULT_IMAGE_NAME }}:latest

Dockerfile

@@ -0,0 +1,8 @@
+FROM restic/restic:0.18.1
+
+RUN apk add --no-cache openssh-client bash
+
+COPY scripts/restic.bash /usr/local/bin/backup-entrypoint.sh
+RUN chmod +x /usr/local/bin/backup-entrypoint.sh
+
+ENTRYPOINT ["/usr/local/bin/backup-entrypoint.sh"]

scripts/restic.bash

@@ -2,7 +2,7 @@
 set -e
 
 # -- 1. Secure Environment Setup --
-# We use /tmp to ensure this works on Read-Only filesystems (PSA Restrictive)
+export RESTIC_CACHE_DIR="${RESTIC_CACHE_DIR:-/tmp/restic-cache}"
 export SSH_DIR="/tmp/.ssh"
 mkdir -p "$SSH_DIR"
 
@@ -10,27 +10,16 @@ mkdir -p "$SSH_DIR"
 cp "$SSH_KEY_PATH" "$SSH_DIR/key"
 chmod 0600 "$SSH_DIR/key"
 
-# -- 2. Build the "Magic" Command --
-# This string is what Restic will execute instead of the local 'rclone' binary.
-# It pipes Restic's requests directly to the remote server.
-SSH_CMD="ssh -p ${SSH_PORT:-22} -i $SSH_DIR/key -o StrictHostKeyChecking=accept-new ${SSH_USER}@${SSH_HOST}"
 
-# Why 'rclone:remote:/'? 
+SSH_CMD="ssh -p ${SSH_PORT:-22} -i $SSH_DIR/key -o StrictHostKeyChecking=accept-new ${SSH_USER}@${SSH_HOST}"
-# 'remote' is just a placeholder name. 
-# '/' works because the remote authorized_keys forces the directory path.
 REPO="rclone:remote:/"
 
 run_restic() {
-    # -o rclone.program tells Restic to execute our SSH string 
+    # -o rclone.program tells Restic to execute over SSH
-    # instead of looking for an rclone binary.
     restic -o rclone.program="$SSH_CMD" -r "$REPO" "$@"
 }
 
-# -- 3. Lifecycle Execution --
-
 echo "--- 1. Initialization Check ---"
-# We try to list snapshots. If it fails, we assume the repo needs init.
-# We suppress stdout to keep logs clean, only showing errors.
 if ! run_restic snapshots > /dev/null 2>&1; then
     echo "Repository not found. Initializing..."
     run_restic init
@@ -39,23 +28,28 @@ else
 fi
 
 echo "--- 2. Starting Backup ---"
-run_restic backup "${SOURCE_DIR}" \
+
+for pattern in $EXCLUDE_PATTERNS; do
+    EXCLUDES+=("--exclude=$pattern")
+done
+
+run_restic backup ${SOURCE_DIR} \
+    "${EXCLUDES[@]}" \
     --tag "${BACKUP_TAG:-Default}" \
     --verbose
 
-# -- 4. Retention (Optional) --
+# -- 4. Retention (if set) --
 if [ -n "$RETENTION_POLICY" ]; then
     echo "--- 3. Retention & Pruning ---"
     # shellcheck disable=SC2086
     run_restic forget --group-by tag --tag "${BACKUP_TAG:-Default}" $RETENTION_POLICY --prune
 fi
 
-# -- 5. Health Check (Optional) --
+# -- 5. Health Check (if set) --
 if [ "$RUN_CHECK" = "true" ]; then
     echo "--- 4. Integrity Check ---"
-    # We use a default subset of 5% if not specified, to save bandwidth
+    # default to 5% read test
-    CHECK_ARGS=${CHECK_ARGS:---read-data-subset=5%}
+    run_restic check ${CHECK_ARGS:---read-data-subset=5%}
-    run_restic check $CHECK_ARGS
 fi
 
 # -- 6. Cache Cleanup --