add support for multiple repositories via env vars `REPO_PATH_[NAME]`, `SSH_CLIENT_PUBLIC_KEYS_[NAME]` & `SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_[NAME]`

CHANGELOG.md

@@ -5,6 +5,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- support for multiple repositories via environment variables `REPO_PATH_[NAME]`,
+  `SSH_CLIENT_PUBLIC_KEYS_[NAME]`, and `SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_[NAME]`.
+  keeping functionality of `BORG_REPO`, `SSH_CLIENT_PUBLIC_KEYS`,
+  and `SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY` for downward compatibility.
 
 ## [0.1.1] - 2021-06-20
 ### Fixed

README.md

@@ -30,6 +30,24 @@ Annotation of signed git tags `docker/*` contains docker image digests: https://
 Detached signatures of images are available at https://github.com/fphammerle/container-image-sigstore
 (exluding automatically built `latest` tag).
 
+### Add Additional Repositories
+
+```sh
+$ sudo docker run --name borgbackup_sshd \
+    -v repo_foo:/some/where/repo-foo \
+    -e REPO_PATH_foo=/some/where/repo-foo \
+    -e SSH_CLIENT_PUBLIC_KEYS_foo="$(cat keys-foo.pub)" \
+    -e SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_foo="$(cat keys-foo-append-only.pub)" \
+    ...
+    -v repo_bar:/some/where/else/bar \
+    -e REPO_PATH_bar=/some/where/else/bar \
+    -e SSH_CLIENT_PUBLIC_KEYS_bar="$(cat keys-bar.pub)" \
+    -e SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_bar="$(cat keys-bar-append-only.pub)" \
+    ...
+```
+
+Currently, keys may only be authorized for a single repository.
+
 ### Docker Compose 🐙
 
 1. `git clone https://github.com/fphammerle/docker-borgbackup-sshd`

docker-compose.yml

@@ -3,6 +3,7 @@ version: '2.3'
 volumes:
   ssh_host_keys:
   repository:
+  #additional_repositories:
 
 services:
   sshd:
@@ -16,6 +17,17 @@ services:
       SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY: |
         ssh-rsa ...
         ssh-rsa ...
+      #REPO_PATH_foo: /additional-repositories/foo
+      #SSH_CLIENT_PUBLIC_KEYS_foo: |
+      #  ssh-rsa ...
+      #  ssh-rsa ...
+      #SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_foo: |
+      #  ssh-rsa ...
+      #  ssh-rsa ...
+      #REPO_PATH_bar: /additional-repositories/bar
+      #SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_bar: |
+      #  ssh-rsa ...
+      #  ssh-rsa ...
     read_only: true
     volumes:
     - type: volume
@@ -26,6 +38,10 @@ services:
       source: repository
       target: /repository
       read_only: false
+    #- type: volume
+    #  source: additional_repositories
+    #  target: /additional-repositories
+    #  read_only: false
     - type: tmpfs
       target: /home/borg/.ssh # authorized_keys
       tmpfs:

entrypoint.sh

@@ -26,6 +26,19 @@ printenv SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY | while IFS=$'\n' read -r key; do
 done
 unset SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY
 unset REPO_PATH
+while IFS=$'\n' read line; do
+    repo_name="$(echo -E "$line" | cut -d = -f 1 | cut -d _ -f 3-)"
+    repo_path="$(printenv "REPO_PATH_${repo_name}")"
+    unset "REPO_PATH_${repo_name}"
+    printenv "SSH_CLIENT_PUBLIC_KEYS_${repo_name}" | while IFS=$'\n' read -r key; do
+        authorize_key "$repo_path" "$key" ""
+    done
+    unset "SSH_CLIENT_PUBLIC_KEYS_${repo_name}"
+    printenv "SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_${repo_name}" | while IFS=$'\n' read -r key; do
+        authorize_key "$repo_path" "$key" " --append-only"
+    done
+    unset "SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_${repo_name}"
+done < <(printenv | grep '^REPO_PATH_')
 
 set -x