From 746943e5123b6c854847eb73a9e5b05a70f808b5 Mon Sep 17 00:00:00 2001 From: Philip Henning Date: Mon, 25 Nov 2024 11:36:28 +0100 Subject: [PATCH] setup restic for backups --- docker-compose.yml | 82 +++++++++++++++++++++++++++++++++++----------- env.template | 1 + 2 files changed, 64 insertions(+), 19 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 2965f3f..0f15b8c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -22,6 +22,7 @@ services: timeout: 5s volumes: - database:/var/lib/postgresql/data + - backups_db:/var/lib/postgresql/backups environment: POSTGRES_PASSWORD: ${PG_PASS:?database password required} POSTGRES_USER: ${PG_USER:-authentik} @@ -55,10 +56,10 @@ services: AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} - AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} + AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:?PG_PASS is required. - Password for authentik's postgresql database} volumes: - - ./data/media:/media - - ./data/custom-templates:/templates + - ./data/authentik/media:/media + - ./data/authentik/custom-templates:/templates - geoip:/geoip env_file: - .env @@ -78,7 +79,7 @@ services: AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} - AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} + AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:?PG_PASS is required. - Password for authentik's postgresql database} # `user: root` and the docker socket volume are optional. # See more for the docker socket integration here: # https://goauthentik.io/docs/outposts/integrations/docker @@ -88,9 +89,9 @@ services: user: root volumes: - /var/run/docker.sock:/var/run/docker.sock - - ./data/media:/media - - ./data/certs:/certs - - ./data/custom-templates:/templates + - ./data/authentik/media:/media + - ./data/authentik/certs:/certs + - ./data/authentik/custom-templates:/templates - geoip:/geoip env_file: - .env @@ -112,18 +113,18 @@ services: server: condition: service_healthy environment: - - NGINX_HTTP_PORT=${NGINX_HTTP_PORT} - - NGINX_HTTPS_PORT=${NGINX_HTTPS_PORT} - - NGINX_RESOLVER=${NGINX_RESOLVER} - - NGINX_SERVERNAME=${NGINX_SERVERNAME} - - NGINX_SSL_SESSION_TIMEOUT=${NGINX_SSL_SESSION_TIMEOUT} - - NGINX_SSL_SESSION_CACHE=${NGINX_SSL_SESSION_CACHE} - - NGINX_SSL_PROTOCOLS=${NGINX_SSL_PROTOCOLS} - - NGINX_SSL_CIPHERS=${NGINX_SSL_CIPHERS} - - NGINX_SSL_PREFER_SERVER_CIPHERS=${NGINX_SSL_PREFER_SERVER_CIPHERS} - - NGINX_HEADER_STRICT_TRANSPORT_SECURITY=${NGINX_HEADER_STRICT_TRANSPORT_SECURITY} - - NGINX_SSL_STAPLING=${NGINX_SSL_STAPLING} - - NGINX_SSL_STAPLING_VERIFY=${NGINX_SSL_STAPLING_VERIFY} + - NGINX_HTTP_PORT=${NGINX_HTTP_PORT:-8080} + - NGINX_HTTPS_PORT=${NGINX_HTTPS_PORT:-8443} + - NGINX_RESOLVER=${NGINX_RESOLVER:-127.0.0.11} + - NGINX_SERVERNAME=${NGINX_SERVERNAME:?Server name is required} + - NGINX_SSL_SESSION_TIMEOUT=${NGINX_SSL_SESSION_TIMEOUT:-1d} + - NGINX_SSL_SESSION_CACHE=${NGINX_SSL_SESSION_CACHE:-shared:MozSSL:10m} + - NGINX_SSL_PROTOCOLS=${NGINX_SSL_PROTOCOLS:-TLSv1.2 TLSv1.3} + - NGINX_SSL_CIPHERS=${NGINX_SSL_CIPHERS:-ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305} + - NGINX_SSL_PREFER_SERVER_CIPHERS=${NGINX_SSL_PREFER_SERVER_CIPHERS:-off} + - NGINX_HEADER_STRICT_TRANSPORT_SECURITY=${NGINX_HEADER_STRICT_TRANSPORT_SECURITY:-'"max-age=63072000" always'} + - NGINX_SSL_STAPLING=${NGINX_SSL_STAPLING:-on} + - NGINX_SSL_STAPLING_VERIFY=${NGINX_SSL_STAPLING_VERIFY:-on} volumes: - ./data/nginx/default.conf.template:/etc/nginx/templates/default.conf.template:ro - ./data/nginx/dhparams.pem:/etc/nginx/ssl/dhparams.pem:ro @@ -143,8 +144,51 @@ services: networks: - frontend + backup: + image: registry.git.base23.de/base23/backup/resticker:0.11.0 + environment: + PRE_COMMANDS: |- + cd /sso.base23.de/ + docker compose exec postgresql pg_dump -U ${PG_USER:-authentik} -d ${PG_DB:-authentik} -f /var/lib/postgresql/backups/${PG_DB:-authentik}.sql + #RUN_ON_STARTUP: "true" + BACKUP_CRON: "32 2 * * *" + RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}/ + RESTIC_PASSWORD: ${RESTIC_REPO_PASSWORD:?Restic repository password is required} + RESTIC_BACKUP_SOURCES: /var/lib/backups + RESTIC_BACKUP_ARGS: >- + --tag ${RESTIC_TAG:?Restic tag is required} + --verbose + RESTIC_FORGET_ARGS: >- + --keep-last 10 + --keep-daily 7 + --keep-weekly 5 + --keep-monthly 12 + TZ: Europe/Berlin + volumes: + - ./data/restic/ssh/:/tmp/.ssh/:ro + - /var/run/docker.sock:/var/run/docker.sock + - ./docker-compose.yml:/sso.base23.de/docker-compose.yml:ro + - backups_db:/var/lib/backups/postgresql:ro + - ./data/authentik/certs:/var/lib/backups/authentik/certs:ro + - ./data/authentik/custom-templates:/var/lib/backups/authentik/templates:ro + - ./data/authentik/media:/var/lib/backups/authentik/media:ro + - ./data/.lego:/var/lib/backups/lego:ro + + prune-backup: + image: registry.git.base23.de/base23/backup/resticker:0.11.0 + environment: + RUN_ON_STARTUP: "true" + PRUNE_CRON: "2 3 * * * *" + RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}/backup + RESTIC_PASSWORD: ${RESTIC_REPO_PASSWORD:?Restic repository password is required} + TZ: Europe/Berlin + volumes: + - ./data/restic/ssh/:/tmp/.ssh/:ro + volumes: + backups_db: + driver: local database: driver: local redis: diff --git a/env.template b/env.template index b1134b6..d392e41 100644 --- a/env.template +++ b/env.template @@ -60,4 +60,5 @@ NGINX_SSL_STAPLING_VERIFY=on RESTIC_REPO_USER=u291924-sub4 RESTIC_REPO_ADDRESS=u291924.your-storagebox.de RESTIC_REPO_PORT=23 +RESTIC_TAG=sso.base23.de