Merge pull request #359 from Psycho0verload/refactor_s6_docker_secrets

Revision of the handling of Docker secrets in S6

Dockerfile

@@ -1,6 +1,6 @@
 # syntax = docker/dockerfile:latest
 
-FROM python:3.12.5-alpine3.19 as base
+FROM python:3.12.7-alpine3.19 AS base
 ARG TARGETARCH
 
 LABEL maintainer='borgmatic-collective'
@@ -13,7 +13,7 @@ ENV S6_OVERLAY_ARCH=aarch64
 
 FROM base-${TARGETARCH}${TARGETVARIANT}
 
-ARG S6_OVERLAY_VERSION=3.1.6.2
+ARG S6_OVERLAY_VERSION=3.2.0.2
 
 # Add S6 Overlay
 ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${S6_OVERLAY_ARCH}.tar.xz /tmp/s6-overlay.tar.xz

README.md

@@ -18,6 +18,9 @@ This repository provides a Docker image for [borgmatic](https://github.com/witte
 > **Warning**
 > As of 2023-06-23 msmtp and ntfy flavors have been discontinued. This image has now switched to apprise.
 
+> **Warning**
+> Secrets will be implemented differently from October 2024. From `*_FILE` to `FILE__*`
+
 ## Usage ##
 
 ### Prerequisites
@@ -26,7 +29,7 @@ Alternatively, you can also use [podman](https://podman.io/docs) to run this ima
 
 ### Getting Started
 
-Run this command to create data directories required by this image under your prefered directory. 
+Run this command to create data directories required by this image under your prefered directory.
 
 ```
 mkdir data/{borgmatic.d,repository,.config,.ssh,.cache}
@@ -92,7 +95,7 @@ You can set the following environment variables:
 | --- | --- |
 | `TZ` | Time zone, e.g. `TZ="Europe/Berlin"'`. |
 | `BORG_RSH` | SSH parameters, e.g. `BORG_RSH="ssh -i /root/.ssh/id_ed25519 -p 50221"` |
-| `BORG_PASSPHRASE` | Repository passphrase, e.g. `BORG_PASSPHRASE="DonNotMissToChangeYourPassphrase"` |
+| `BORG_PASSPHRASE` | Repository passphrase, e.g. `BORG_PASSPHRASE=DonNotMissToChangeYourPassphrase` |
 | `BACKUP_CRON` | Cron schedule to run borgmatic. Default:`0 1 * * *` |
 | `RUN_ON_STARTUP` | Run borgmatic on startup. e.g.: `RUN_ON_STARTUP=true` |
 
@@ -103,15 +106,27 @@ You can also provide your own crontab file. If `data/borgmatic.d/crontab.txt` ex
 
 Beside that, you can also pass any environment variable that is supported by borgmatic. See documentation for [borgmatic](https://torsion.org/borgmatic/) and [Borg](https://borgbackup.readthedocs.io/) and for a list of supported variables.
 
-### Using Secrets (Optional)
-
-You also have the option of using Docker Secrets for more sensitive information. This is not mandatory, but provides an additional layer of security. **Note that this function is only applicable to environment variables that start with `BORG` or `YOUR`.**
-
-For each environment variable such as `BORG_PASSPHRASE`, you can create a corresponding secret file called `BORG_PASSPHRASE_FILE`. Store the contents of the secret file in this file. The start script automatically searches for corresponding `_FILE` secrets if the environment variables are not set and loads them.
+### Environment variables from files (Docker secrets)¶
+You can set any environment variable from a file by using a special prepend `FILE__`.
+As an example:
+```
+-e FILE__BORG_PASSPHRASE=/run/secrets/mysecretvariable
+```
+Will set the environment variable `BORG_PASSPHRASE` based on the contents of the `/run/secrets/mysecretvariable` file.
 
-It is important to know that this environment variable is **not** available via `docker compose exec borgmatic sh`. Only for the automated call via the defined cron.
+It is important to know that this environment variable is **not** simply available via `docker (compose) exec borgmatic sh` but only for the automatic call via the defined cron.
 
+#### Manual commands with secrets
+If you want to initialize a repository manually or start a backup outside of the cron job, proceed as follows:
 
+- **Initialize repository**
+  ```
+  docker exec borgmatic /bin/sh -c 'export BORG_PASSPHRASE=$(cat /run/s6/container_environment/BORG_PASSPHRASE) && borgmatic init --encryption repokey'
+  ```
+- **Trigger manual backup**
+  ```
+  docker exec borgmatic /bin/sh -c 'export BORG_PASSPHRASE=$(cat /run/s6/container_environment/BORG_PASSPHRASE) && borgmatic create --stats -v 0'
+  ```
 
 ## Using Apprise for Notifications
 

requirements.txt

@@ -1,5 +1,5 @@
 --extra-index-url https://dl.cloudsmith.io/public/borgmatic-collective/borgmatic/python/simple/
 
 borgbackup==1.4.0
-borgmatic[apprise]==1.8.14
+borgmatic[apprise]==1.9.0
 llfuse==1.5.1

root/etc/s6-overlay/s6-rc.d/init-envfile/run

@@ -0,0 +1,23 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# This script originates from the base image by LinuxServer.io
+# (https://www.linuxserver.io/). It is provided under the GNU
+# GENERAL PUBLIC LICENSE Version 3.
+
+if find /run/s6/container_environment/FILE__* -maxdepth 1 > /dev/null 2>&1; then
+    for FILENAME in /run/s6/container_environment/FILE__*; do
+            SECRETFILE=$(cat "${FILENAME}")
+            if [[ -f ${SECRETFILE} ]]; then
+                FILESTRIP=${FILENAME//FILE__/}
+                if [[ $(tail -n1 "${SECRETFILE}" | wc -l) != 0 ]]; then
+                    echo "[env-init] Your secret: ${FILENAME##*/}"
+                    echo "           contains a trailing newline and may not work as expected"
+                fi
+                cat "${SECRETFILE}" >"${FILESTRIP}"
+                echo "[env-init] ${FILESTRIP##*/} set from ${FILENAME##*/}"
+            else
+                echo "[env-init] cannot find secret in ${FILENAME##*/}"
+            fi
+    done
+fi

root/etc/s6-overlay/s6-rc.d/init-envfile/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-envfile/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-envfile/run