dependabot[bot] d82e4dfc9f Bump docker/build-push-action from 6.7.0 to 6.9.0 (#87) | 2 months ago | |
---|---|---|
.github | 2 months ago | |
CHANGELOG.md | 2 years ago | |
Dockerfile | 3 months ago | |
Makefile | 3 years ago | |
README.md | 2 years ago | |
docker-compose.yml | 2 years ago | |
entrypoint.sh | 2 years ago | |
sshd_config | 2 years ago | |
tini-package-log.url | 1 year ago |
Single-user OpenSSH server restricted to BorgBackup backend
$ sudo docker run --name borgbackup_sshd \
-v ssh_host_keys:/etc/ssh/host_keys:rw \
-v /somewhere:/repository:rw \
--tmpfs /home/borg/.ssh:mode=1777,size=16k \
--tmpfs /tmp:mode=1777,size=1M \
-p 2200:2200 \
-e SSH_CLIENT_PUBLIC_KEYS="$(cat ~/.ssh/id_*.pub)" \
-e SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY="$(cat optional-append-only-keys.pub)" \
--read-only --security-opt=no-new-privileges --cap-drop=ALL \
docker.io/fphammerle/borgbackup-sshd
$ borg init --encryption=editme ssh://borg@127.0.0.1:2200//repository
$ borg create --stats ssh://borg@127.0.0.1:2200//repository::{hostname}-{utcnow} \
~/documents ~/photos ...
sudo docker
may be replaced with podman
.
Pre-built docker images are available at https://hub.docker.com/r/fphammerle/borgbackup-sshd/tags (mirror: https://quay.io/repository/fphammerle/borgbackup-sshd?tab=tags)
Annotation of signed git tags docker/*
contains docker image digests: https://github.com/fphammerle/docker-borgbackup-sshd/tags
Detached signatures of images are available at https://github.com/fphammerle/container-image-sigstore
(exluding automatically built latest
tag).
$ sudo docker run --name borgbackup_sshd \
-v repo_foo:/some/where/repo-foo \
-e REPO_PATH_foo=/some/where/repo-foo \
-e SSH_CLIENT_PUBLIC_KEYS_foo="$(cat keys-foo.pub)" \
-e SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_foo="$(cat keys-foo-append-only.pub)" \
...
-v repo_bar:/some/where/else/bar \
-e REPO_PATH_bar=/some/where/else/bar \
-e SSH_CLIENT_PUBLIC_KEYS_bar="$(cat keys-bar.pub)" \
-e SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_bar="$(cat keys-bar-append-only.pub)" \
...
Currently, individual keys may be authorized either for a single repository
or for all repositories via SSH_CLIENT_PUBLIC_KEYS_ALL
:
$ sudo docker run --name borgbackup_sshd \
-v repo_foo:/some/where/repo-foo \
-e REPO_PATH_foo=/some/where/repo-foo \
-v repo_bar:/some/where/else/bar \
-e REPO_PATH_bar=/some/where/else/bar \
...
-e SSH_CLIENT_PUBLIC_KEYS_ALL="$(cat ~/.ssh/id_*.pub)" \
...
git clone https://github.com/fphammerle/docker-borgbackup-sshd
docker-compose up --build