No Description

Fabian Peter Hammerle f3b4cc1d51 refactor entrypoint.sh: reduce code duplication in key authorization		1 year ago
.github	15a37bb2ac Bump docker/setup-buildx-action from 2.1.0 to 2.2.1 (#32)	1 year ago
CHANGELOG.md	44b0c64dd8 add sshd's `restrict` option to all key authorizations (redundant as port forwarding etc is already disabled in `sshd_config`)	1 year ago
Dockerfile	6ce4550eb6 Bump alpine from 3.16.1 to 3.16.2 (#27)	1 year ago
Makefile	a890c27fad release v0.1.0	3 years ago
README.md	cf058a19f4 add support for multiple repositories via env vars `REPO_PATH_[NAME]`, `SSH_CLIENT_PUBLIC_KEYS_[NAME]` & `SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_[NAME]`	1 year ago
borgbackup-package-log.url	62997f8d5b upgrade borgbackup package from v1.1.17-r2 to v1.2.0-r0	1 year ago
docker-compose.yml	cf058a19f4 add support for multiple repositories via env vars `REPO_PATH_[NAME]`, `SSH_CLIENT_PUBLIC_KEYS_[NAME]` & `SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_[NAME]`	1 year ago
entrypoint.sh	f3b4cc1d51 refactor entrypoint.sh: reduce code duplication in key authorization	1 year ago
openssh-package-log.url	62997f8d5b upgrade borgbackup package from v1.1.17-r2 to v1.2.0-r0	1 year ago
openssh-release-notes.url	80a654ad49 upgrade openssh server package v8.6_p1-r{2->3} (CVE-2021-41617)	2 years ago
sshd_config	a57c633cdd authorize public keys in env var SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY in append-only mode	3 years ago

docker: borgbackup-sshd 💾 🐳 🐙

Single-user OpenSSH server restricted to BorgBackup backend

$ sudo docker run --name borgbackup_sshd \
    -v ssh_host_keys:/etc/ssh/host_keys:rw \
    -v /somewhere:/repository:rw \
    --tmpfs /home/borg/.ssh:mode=1777,size=16k \
    --tmpfs /tmp:mode=1777,size=1M \
    -p 2200:2200 \
    -e SSH_CLIENT_PUBLIC_KEYS="$(cat ~/.ssh/id_*.pub)" \
    -e SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY="$(cat optional-append-only-keys.pub)" \
    --read-only --security-opt=no-new-privileges --cap-drop=ALL \
    docker.io/fphammerle/borgbackup-sshd

$ borg init --encryption=editme ssh://borg@127.0.0.1:2200//repository

$ borg create --stats ssh://borg@127.0.0.1:2200//repository::{hostname}-{utcnow} \
    ~/documents ~/photos ...

sudo docker may be replaced with podman.

Pre-built docker images are available at https://hub.docker.com/r/fphammerle/borgbackup-sshd/tags (mirror: https://quay.io/repository/fphammerle/borgbackup-sshd?tab=tags)

Annotation of signed git tags docker/* contains docker image digests: https://github.com/fphammerle/docker-borgbackup-sshd/tags

Detached signatures of images are available at https://github.com/fphammerle/container-image-sigstore (exluding automatically built latest tag).

Add Additional Repositories

$ sudo docker run --name borgbackup_sshd \
    -v repo_foo:/some/where/repo-foo \
    -e REPO_PATH_foo=/some/where/repo-foo \
    -e SSH_CLIENT_PUBLIC_KEYS_foo="$(cat keys-foo.pub)" \
    -e SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_foo="$(cat keys-foo-append-only.pub)" \
    ...
    -v repo_bar:/some/where/else/bar \
    -e REPO_PATH_bar=/some/where/else/bar \
    -e SSH_CLIENT_PUBLIC_KEYS_bar="$(cat keys-bar.pub)" \
    -e SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_bar="$(cat keys-bar-append-only.pub)" \
    ...

Currently, keys may only be authorized for a single repository.

Docker Compose 🐙

git clone https://github.com/fphammerle/docker-borgbackup-sshd
Add public keys to docker-compose.yml
docker-compose up --build

README.md

docker: borgbackup-sshd 💾 🐳 🐙

Add Additional Repositories

Docker Compose 🐙