diff --git a/README.md b/README.md index 43968da..661fbda 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ See [restic s3 docs](https://restic.readthedocs.io/en/latest/030_preparing_a_new ### SFTP Storage -> TODO +> With sftp it is not possible to prevent the backupbot from deleting backups in case of a compromised machine. Therefore we recommend to use S3, REST or rclone server without delete permissions. To use SFTP storage as backup location set the following envs: ``` @@ -72,10 +72,16 @@ SECRET_SSH_KEY_VERSION=v1 SSH_HOST_KEY="hostname ssh-rsa AAAAB3... COMPOSE_FILE="$COMPOSE_FILE:compose.ssh.yml" ``` +To get the `SSH_HOST_KEY` run the following command `ssh-keyscan ` Generate an ssh keypair: `ssh-keygen -t ed25519 -f backupkey -P ''` -and add your `SSH_KEY` as docker secret: -`abra app secret insert ssh_key v1 "$(cat backupkey)"` +Add the key to your `authorized_keys`: +`ssh-copy-id -i backupkey @` +Add your `SSH_KEY` as docker secret: +``` +abra app secret insert ssh_key v1 """$(cat backupkey) +""" +``` ## Usage diff --git a/abra.sh b/abra.sh index b6a1153..d806fdb 100644 --- a/abra.sh +++ b/abra.sh @@ -1,2 +1,3 @@ export ENTRYPOINT_VERSION=v1 export BACKUPBOT_VERSION=v1 +export SSH_CONFIG_VERSION=v1 diff --git a/compose.ssh.yml b/compose.ssh.yml index d6b68f3..bb48647 100644 --- a/compose.ssh.yml +++ b/compose.ssh.yml @@ -5,12 +5,19 @@ services: environment: - SSH_KEY_FILE=/run/secrets/ssh_key - SSH_HOST_KEY - - SSH_HOST_KEY_DISABLE secrets: - source: ssh_key mode: 0400 + configs: + - source: ssh_config + target: /root/.ssh/config secrets: ssh_key: external: true name: ${STACK_NAME}_ssh_key_${SECRET_SSH_KEY_VERSION} + +configs: + ssh_config: + name: ${STACK_NAME}_ssh_config_${SSH_CONFIG_VERSION} + file: ssh_config diff --git a/entrypoint.sh b/entrypoint.sh index 3ed47d0..7e8c728 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,12 +1,17 @@ #!/bin/sh -set -eu +set -eu -o pipefail apk add --upgrade --no-cache bash restic python3 py3-pip # Todo use requirements file with specific versions pip install click docker resticpy +if [ -n "$SSH_HOST_KEY" ] +then + echo "$SSH_HOST_KEY" > /root/.ssh/known_hosts +fi + cron_schedule="${CRON_SCHEDULE:?CRON_SCHEDULE not set}" echo "$cron_schedule backup create" | crontab - diff --git a/ssh_config b/ssh_config new file mode 100644 index 0000000..294dc88 --- /dev/null +++ b/ssh_config @@ -0,0 +1,4 @@ +Host * + IdentityFile /run/secrets/ssh_key + ServerAliveInterval 60 + ServerAliveCountMax 240