Merge branch 'release/1.0.0'

* Upgrade to bullseye-slim image
* Fix(run.sh): authorized_keys permissions
* Change(run.sh): Add restrict to client keys & output debian version
* Change(Dockerfile): Allow different base images
* Update(drone): Build buster & bullseye images
* Update README

.woodpecker.yml

@@ -0,0 +1,39 @@
+steps:
+  build:
+    image: woodpeckerci/plugin-docker-buildx
+    settings:
+      dry-run: true
+      repo: git.merp.digital/${CI_REPO_OWNER}/borgserver
+      platforms: linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8
+      registry: git.merp.digital
+    when:
+      - event: push
+        branch: 
+          exclude: [develop, master]
+
+  publish-nightly:
+    image: woodpeckerci/plugin-docker-buildx
+    settings:
+      repo: git.merp.digital/${CI_REPO_OWNER}/borgserver
+      platforms: linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8
+      registry: git.merp.digital
+      tags: develop-${CI_COMMIT_SHA}
+      username: ${CI_REPO_OWNER}
+      password:
+        from_secret: cb_token
+    when:
+      - event: push
+        branch: develop
+
+  publish-release:
+    image: woodpeckerci/plugin-docker-buildx
+    settings:
+      repo: git.merp.digital/${CI_REPO_OWNER}/borgserver
+      platforms: linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8
+      registry: git.merp.digital
+      tags: ${CI_COMMIT_TAG}
+      username: ${CI_REPO_OWNER}
+      password:
+        from_secret: cb_token
+    when:
+      - event: tag

Dockerfile

@@ -2,7 +2,7 @@
 # Dockerfile to build borgbackup server images
 # Based on Debian
 ############################################################
-FROM debian:buster-slim
+FROM debian:12.4-slim
 
 # Volume for SSH-Keys
 VOLUME /sshkeys
@@ -14,10 +14,10 @@ ENV DEBIAN_FRONTEND noninteractive
 
 RUN apt-get update && apt-get -y --no-install-recommends install \
 		borgbackup openssh-server && apt-get clean && \
-		useradd -s /bin/bash -m borg && \
+		useradd -s /bin/bash -m -U borg && \
 		mkdir /home/borg/.ssh && \
 		chmod 700 /home/borg/.ssh && \
-		chown borg: /home/borg/.ssh && \
+		chown borg:borg /home/borg/.ssh && \
 		mkdir /run/sshd && \
 		rm -f /etc/ssh/ssh_host*key* && \
 		rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/*

README.md

@@ -29,7 +29,7 @@ docker run -td \
 	-p 2222:22  \
 	--volume ./borg/sshkeys:/sshkeys \
 	--volume ./borg/backup:/backup \
-	nold360/borgserver:latest
+	git.merp.digital/eranmorkon/borgserver:1.0.0
 ```
 
 
@@ -45,7 +45,7 @@ See the the documentation for all available arguments: [borgbackup.readthedocs.i
 
 ##### Example
 ```
-docker run --rm -e BORG_SERVE_ARGS="--progress --debug" (...) nold360/borgserver
+docker run --rm -e BORG_SERVE_ARGS="--progress --debug" (...) git.merp.digital/eranmorkon/borgserver
 ```
 
 #### BORG_APPEND_ONLY
@@ -62,7 +62,7 @@ To declare a client as admin, set this variable to the name of the client/sshkey
 
 ##### Example
 ```
-docker run --rm -e BORG_APPEND_ONLY="yes" -e BORG_ADMIN="nolds_notebook" (...) nold360/borgserver
+docker run --rm -e BORG_APPEND_ONLY="yes" -e BORG_ADMIN="nolds_notebook" (...) git.merp.digital/eranmorkon/borgserver
 ```
 
 To prune repos from another client, you have to add the path to the repository in the clients directory:
@@ -71,6 +71,14 @@ borg prune --keep-last 100 --keep-weekly 1 (...) borgserver:/clientA/clientA
 ```
 
 
+#### PUID
+Used to set the user id of the `borg` user inside the container. This can be useful when the container has to access resources on the host with a specific user id.
+
+
+#### PGID
+Used to set the group id of the `borg` group inside the container. This can be useful when the container has to access resources on the host with a specific group id.
+
+
 ### Persistent Storages & Client Configuration
 We will need two persistent storage directories for our borgserver to be usefull.
 
@@ -82,8 +90,10 @@ Here we will put all SSH public keys from our borg clients, we want to backup. E
 
 That means every client get's it's own repository. So you might want to use the hostname of the client as the name of the sshkey file.
 
+Hidden files & files inside of hidden directories will be ignored!
+
 ```
-F.e. /sshkeys/clients/webserver.mydomain.com
+e.g. /sshkeys/clients/webserver.mydomain.com
 ```
 
 Than your client would have to initiat the borg repository like this:
@@ -102,21 +112,7 @@ In this directory will borg write all the client data to. It's best to start wit
 
 ## Example Setup
 ### docker-compose.yml
-Here is a quick example, how to run borgserver using docker-compose:
-```
-services:
- borgserver:
-  image: nold360/borgserver
-  volumes:
-   - /backup:/backup
-   - ./sshkeys:/sshkeys
-  ports:
-   - "2222:22"
-  environment:
-   BORG_SERVE_ARGS: ""
-   BORG_APPEND_ONLY: "no"
-   BORG_ADMIN: ""
-```
+Here is a quick example, how to run borgserver using docker-compose: [docker-compose.yml](https://github.com/Nold360/docker-borgserver/blob/master/docker-compose.yml)
 
 ### ~/.ssh/config for clients
 With this configuration (on your borg client) you can easily connect to your borgserver.

data/run.sh

@@ -1,17 +1,30 @@
 #!/bin/bash
 # Start Script for docker-borgserver
 
+PUID=${PUID:-1000}
+PGID=${PGID:-1000}
+
+usermod -o -u "$PUID" borg &>/dev/null
+groupmod -o -g "$PGID" borg &>/dev/null
+
 BORG_DATA_DIR=/backup
 SSH_KEY_DIR=/sshkeys
 BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}'
+AUTHORIZED_KEYS_PATH=/home/borg/.ssh/authorized_keys
 
 # Append only mode?
 BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no}
 
+source /etc/os-release
 echo "########################################################"
 echo -n " * Docker BorgServer powered by "
 borg -V
+echo " * Based on ${PRETTY_NAME}"
 echo "########################################################"
+echo " * User  id: $(id -u borg)"
+echo " * Group id: $(id -g borg)"
+echo "########################################################"
+
 
 # Precheck if BORG_ADMIN is set
 if [ "${BORG_APPEND_ONLY}" == "yes" ] && [ -z "${BORG_ADMIN}" ] ; then
@@ -27,7 +40,7 @@ for dir in BORG_DATA_DIR SSH_KEY_DIR ; do
 		exit 1
 	fi
 
-	if [ "$(find ${SSH_KEY_DIR}/clients -type f | wc -l)" == "0" ] ; then
+	if [ "$(find ${SSH_KEY_DIR}/clients ! -regex '.*/\..*' -a -type f | wc -l)" == "0" ] ; then
 		echo "ERROR: No SSH-Pubkey file found in ${SSH_KEY_DIR}"
 		exit 1
 	fi
@@ -47,8 +60,8 @@ echo "########################################################"
 echo " * Starting SSH-Key import..."
 
 # Add every key to borg-users authorized_keys
-rm /home/borg/.ssh/authorized_keys &>/dev/null
-for keyfile in $(find "${SSH_KEY_DIR}/clients" -type f); do
+rm ${AUTHORIZED_KEYS_PATH} &>/dev/null
+for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); do
     client_name=$(basename ${keyfile})
     mkdir ${BORG_DATA_DIR}/${client_name} 2>/dev/null
     echo "  ** Adding client ${client_name} with repo path ${BORG_DATA_DIR}/${client_name}"
@@ -63,13 +76,22 @@ for keyfile in $(find "${SSH_KEY_DIR}/clients" -type f); do
 		borg_cmd="${BORG_CMD} --append-only"
 	fi
 
-    echo -n "command=\"$(eval echo -n \"${borg_cmd}\")\" " >> /home/borg/.ssh/authorized_keys
-	cat ${keyfile} >> /home/borg/.ssh/authorized_keys
+  echo -n "restrict,command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${AUTHORIZED_KEYS_PATH}
+  cat ${keyfile} >> ${AUTHORIZED_KEYS_PATH}
+  echo >> ${AUTHORIZED_KEYS_PATH}
 done
+chmod 0600 "${AUTHORIZED_KEYS_PATH}"
 
-chown -R borg: /backup
-chown borg: /home/borg/.ssh/authorized_keys
-chmod 600 /home/borg/.ssh/authorized_keys
+echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..."
+ERROR=$(ssh-keygen -lf ${AUTHORIZED_KEYS_PATH} 2>&1 >/dev/null)
+if [ $? -ne 0 ]; then
+    echo "ERROR: ${ERROR}"
+    exit 1
+fi
+
+chown -R borg:borg ${BORG_DATA_DIR}
+chown borg:borg ${AUTHORIZED_KEYS_PATH}
+chmod 600 ${AUTHORIZED_KEYS_PATH}
 
 echo "########################################################"
 echo " * Init done! Starting SSH-Daemon..."

data/sshd_config

@@ -25,3 +25,6 @@ PermitTTY no
 PrintMotd no
 PermitTunnel no
 Subsystem	sftp	/bin/false
+
+ClientAliveInterval 10
+ClientAliveCountMax 30

docker-compose.yml

@@ -0,0 +1,21 @@
+version: '3'
+services:
+ borgserver:
+  image: git.merp.digital/eranmorkon/borgserver
+  #build: .
+  volumes:
+   - ./backup:/backup
+   - ./sshkeys:/sshkeys
+  ports:
+   - "2222:22"
+  environment:
+  # Additional Arguments, see https://borgbackup.readthedocs.io/en/stable/usage/serve.html
+   BORG_SERVE_ARGS: ""
+
+   # If set to "yes", only the BORG_ADMIN
+   # can delete/prune the other clients archives/repos
+   BORG_APPEND_ONLY: "no"
+
+   # Filename of Admins SSH-Key; has full access to all repos
+   BORG_ADMIN: ""
+  restart: unless-stopped