feat: make gotify optional (#16)

Reviewed-on: #16
Co-authored-by: Timo Behrendt <t.behrendt@t00n.de>
Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>

.gitea/workflows/cd.yaml

@@ -0,0 +1,111 @@
+name: CD
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  DOCKER_REGISTRY: gitea.t000-n.de
+
+jobs:
+  check-changes:
+    name: Check changes
+    runs-on: ubuntu-latest
+    outputs:
+      changes: ${{ steps.filter.outputs.code }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Get changed files
+        id: filter
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            code:
+              - 'src/**'
+              - 'Dockerfile'
+              - 'gitea/workflows/**'
+
+  build_and_push:
+    name: Build and push
+    needs:
+      - check-changes
+    if: ${{ needs.check-changes.outputs.changes != '0' }}
+    strategy:
+      matrix:
+        arch:
+          - amd64
+          - arm64
+    runs-on:
+      - ubuntu-latest
+      - linux_${{ matrix.arch }}
+    steps:
+      - uses: actions/checkout@v5
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ${{ env.DOCKER_REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+      - id: meta
+        run: |
+          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}' | tr '[:upper:]' '[:lower:]') >> $GITHUB_OUTPUT
+          echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
+      - uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/${{ matrix.arch }}
+          push: true
+          provenance: false
+          tags: |
+            ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-${{ matrix.arch }}
+
+  create_tag:
+    name: Create tag
+    needs:
+      - check-changes
+    if: ${{ needs.check-changes.outputs.changes != '0' }}
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.tag.outputs.new-tag }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@0.0.2
+        id: tag
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+      - run: |
+          git tag ${{ steps.tag.outputs.new-tag }}
+          git push origin ${{ steps.tag.outputs.new-tag }}
+      - name: Set output
+        run: |
+          echo "tag=${{ steps.tag.outputs.new-tag }}" >> $GITHUB_OUTPUT
+
+  create_manifest:
+    name: Create manifest
+    needs:
+      - build_and_push
+      - create_tag
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - id: meta
+        run: |
+          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}' | tr '[:upper:]' '[:lower:]') >> $GITHUB_OUTPUT
+          echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
+      - uses: docker/login-action@v3
+        with:
+          registry: ${{ env.DOCKER_REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+      - run: |
+          docker manifest create ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ needs.create_tag.outputs.tag }} \
+            ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-amd64 \
+            ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-arm64
+
+          docker manifest push ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ needs.create_tag.outputs.tag }}

.gitea/workflows/ci.yaml

@@ -0,0 +1,24 @@
+name: CI
+
+on:
+  pull_request:
+
+jobs:
+  build:
+    name: Build Docker image
+    runs-on:
+      - ubuntu-latest
+      - linux_amd64
+    steps:
+      - uses: actions/checkout@v5
+      - uses: docker/setup-buildx-action@v3
+      - name: Build image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          push: false
+          provenance: false
+          tags: |
+            backupsidecar:ci-test

Dockerfile

@@ -0,0 +1,16 @@
+FROM alpine:3.22
+
+RUN apk update && apk add --no-cache \
+    bash \
+    curl \
+    restic \
+    postgresql-client \
+    jq
+
+WORKDIR /app
+
+COPY src/backup.sh /app/backup.sh
+
+RUN chmod +x /app/backup.sh
+
+ENTRYPOINT ["/app/backup.sh"]

README.md

@@ -1,3 +1,123 @@
-# backupsidecar
+# BackupSidecar
 
-Backup sidecar that automatically creates backups of one PVC and saves it to another PVC via restic
+BackupSidecar is a lightweight backup solution designed to run as a cron job in Kubernetes. It automates backups using Restic and supports both directory and PostgreSQL database backups. Optional notifications can be sent via Gotify to keep you informed of backup results.
+
+## Configuration
+
+BackupSidecar is configured through environment variables. Below is a breakdown of the available settings.
+
+### General Settings
+
+These variables apply to both directory and PostgreSQL backups.
+
+- **`BACKUP_MODE`** _(optional)_ - Defines the backup type (`directory` or `postgres`). Defaults to `directory`.
+- **`RESTIC_PASSWORD`** _(required)_ - The encryption password for Restic.
+- **`RESTIC_REPOSITORY`** _(required)_ - The URI of the Restic repository (e.g., `rest:http://your-rest-server:8000/backup`).
+- **`RESTIC_REST_USERNAME`** _(optional)_ - The username for REST server authentication.
+- **`RESTIC_REST_PASSWORD`** _(optional)_ - The password for REST server authentication.
+- **`ENABLE_GOTIFY`** _(optional)_ - Enable Gotify notifications. Set to `true` to enable, any other value or unset disables notifications. Defaults to `true`.
+- **`GOTIFYHOST`** _(required when ENABLE_GOTIFY=true)_ - The Gotify server URL.
+- **`GOTIFYTOKEN`** _(required when ENABLE_GOTIFY=true)_ - The API token for Gotify.
+- **`GOTIFYTOPIC`** _(required when ENABLE_GOTIFY=true)_ - The topic under which backup notifications will be sent.
+
+### Directory Backup
+
+When running in `directory` mode, the following variable must be set:
+
+- **`SOURCEDIR`** _(required)_ - The path of the directory to be backed up.
+
+### PostgreSQL Backup
+
+For `postgres` mode, the following database-related variables are required:
+
+- **`PGHOST`** _(required)_ - The hostname of the PostgreSQL server.
+- **`PGDATABASE`** _(required)_ - The name of the database to back up.
+- **`PGUSER`** _(required)_ - The PostgreSQL username.
+- **`PGPORT`** _(optional)_ - The port for PostgreSQL (defaults to `5432`).
+- **`PGPASSWORD`** _(optional)_ - The password for authentication. Setting this prevents interactive prompts.
+- **`PG_DUMP_ARGS`** _(optional)_ - Additional flags for `pg_dump`.
+
+## Dependencies
+
+Ensure the following commands are available in the container:
+
+- `restic`
+- `curl`
+- `jq`
+- `pg_dump` _(only required for `postgres` mode)_
+
+## Usage
+
+Example Kubernetes CronJob manifest for running BackupSidecar as a cron job for directory backups in minimal configuration:
+
+```yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: backupsidecar-cron
+  namespace: authentik
+spec:
+  schedule: "0 7 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 5
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 3
+      activeDeadlineSeconds: 300
+      template:
+        spec:
+          restartPolicy: OnFailure
+          containers:
+            - name: backupsidecar
+              image: backupsidecar:latest
+              env:
+                - name: RESTIC_REPOSITORY
+                  value: "rest:http://rest-server:8000/backup"
+                - name: RESTIC_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: backupsidecar-secret
+                      key: restic_password
+                - name: BACKUP_MODE
+                  value: "directory" # or "postgres"
+                - name: SOURCEDIR
+                  value: "/data/source"
+                - name: ENABLE_GOTIFY
+                  value: "true"
+                - name: GOTIFYHOST
+                  value: "http://gotify.example.com"
+                - name: GOTIFYTOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: backupsidecar-secret
+                      key: gotify_token
+                - name: GOTIFYTOPIC
+                  value: "Backup Notification"
+              # (For PostgreSQL mode, add PGHOST, PGDATABASE, PGUSER, PGPORT, PGPASSWORD)
+              volumeMounts:
+                - name: source-data
+                  mountPath: /data/source
+          restartPolicy: OnFailure
+          volumes:
+            - name: source-data
+              persistentVolumeClaim:
+                claimName: source-data-pvc
+```
+
+## Notifications
+
+The script can send success or failure notifications via Gotify when enabled. To enable notifications, set `ENABLE_GOTIFY=true` and provide the required Gotify configuration variables (`GOTIFYHOST`, `GOTIFYTOKEN`, `GOTIFYTOPIC`). When notifications are disabled, backup status messages are still logged to the console.
+
+Example success notification:
+
+```
+Backup successful. Snapshot 56ff6a909a44e01f67d2d88f9a76aa713d437809d7ed14a2361e28893f38befb: files new: 1, files changed: 0, data added: 1019 bytes in 0.277535184 sec
+```
+
+When Gotify is disabled, you'll see a single message at startup indicating notifications are disabled, followed by normal backup status messages:
+
+```
+2024-01-15T10:30:00 - Gotify notifications disabled. Backup status will be logged to console only.
+2024-01-15T10:30:05 - Backup successful. Snapshot 56ff6a909a44e01f67d2d88f9a76aa713d437809d7ed14a2361e28893f38befb: files new: 1, files changed: 0, data added: 1019 bytes in 0.277535184 sec
+```

renovate.json

@@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}

src/backup.sh

@@ -0,0 +1,204 @@
+#!/bin/bash
+set -euo pipefail
+
+#######################################
+# Date format for logging.
+#######################################
+LOG_DATE_FORMAT="%Y-%m-%dT%T"
+
+#######################################
+# Log a message with a timestamp.
+# Arguments:
+#   Message to log.
+#######################################
+log() {
+    echo "$(date +"$LOG_DATE_FORMAT") - $*"
+}
+
+#######################################
+# Determine backup mode from the environment only.
+# Valid values: "directory" or "postgres".
+# Default to "directory" if not provided.
+#######################################
+BACKUP_MODE="${BACKUP_MODE:-directory}"
+
+#######################################
+# Check for required external commands.
+#######################################
+REQUIRED_CMDS=(restic curl jq)
+if [ "$BACKUP_MODE" = "postgres" ]; then
+    REQUIRED_CMDS+=(pg_dump)
+fi
+
+for cmd in "${REQUIRED_CMDS[@]}"; do
+    if ! command -v "$cmd" &>/dev/null; then
+        log "Error: Required command '$cmd' is not installed."
+        exit 1
+    fi
+done
+
+#######################################
+# Validate common required environment variables.
+#######################################
+# Gotify notification settings (optional).
+# Set ENABLE_GOTIFY to "true" to enable notifications, any other value or unset disables them.
+ENABLE_GOTIFY="${ENABLE_GOTIFY:-true}"
+
+if [ "$ENABLE_GOTIFY" = "true" ]; then
+    : "${GOTIFYHOST:?Environment variable GOTIFYHOST is not set (required when ENABLE_GOTIFY=true)}"
+    : "${GOTIFYTOKEN:?Environment variable GOTIFYTOKEN is not set (required when ENABLE_GOTIFY=true)}"
+    : "${GOTIFYTOPIC:?Environment variable GOTIFYTOPIC is not set (required when ENABLE_GOTIFY=true)}"
+else
+    log "Gotify notifications disabled. Backup status will be logged to console only."
+fi
+
+# Restic encryption password.
+: "${RESTIC_PASSWORD:?Environment variable RESTIC_PASSWORD is not set}"
+
+# Use the repository URI directly from the environment.
+# Example: export RESTIC_REPOSITORY="rest:http://your-rest-server:8000/backup"
+: "${RESTIC_REPOSITORY:?Environment variable RESTIC_REPOSITORY is not set}"
+
+#######################################
+# Validate mode-specific environment variables.
+#######################################
+case "$BACKUP_MODE" in
+    directory)
+        : "${SOURCEDIR:?Environment variable SOURCEDIR is not set (required for directory backup mode)}"
+        ;;
+    postgres)
+        : "${PGHOST:?Environment variable PGHOST is not set (required for PostgreSQL backup mode)}"
+        : "${PGDATABASE:?Environment variable PGDATABASE is not set (required for PostgreSQL backup mode)}"
+        : "${PGUSER:?Environment variable PGUSER is not set (required for PostgreSQL backup mode)}"
+        # Optional: default PGPORT to 5432.
+        : "${PGPORT:=5432}"
+        if [ -z "${PGPASSWORD:-}" ]; then
+            echo "Warning: Environment variable PGPASSWORD is not set. pg_dump may fail if authentication is required."
+        fi
+        ;;
+    *)
+        echo "Error: Unknown backup mode '$BACKUP_MODE'. Valid modes are 'directory' and 'postgres'." >&2
+        exit 1
+        ;;
+esac
+
+#######################################
+# Build the Gotify URL (only if Gotify is enabled).
+#######################################
+if [ "$ENABLE_GOTIFY" = "true" ]; then
+    GOTIFYURL="${GOTIFYHOST}/message?token=${GOTIFYTOKEN}"
+fi
+
+#######################################
+# Send a notification via Gotify.
+# Arguments:
+#   message: The message to send.
+#######################################
+send_notification() {
+    local message="$1"
+    
+    # Only send notification if Gotify is enabled
+    if [ "$ENABLE_GOTIFY" != "true" ]; then
+        log "$message"
+        return 0
+    fi
+    
+    if ! curl -s -X POST "$GOTIFYURL" -F "title=${GOTIFYTOPIC}" -F "message=${message}" >/dev/null; then
+        log "Warning: Failed to send notification with message: ${message}"
+    fi
+}
+
+#######################################
+# Run the backup using restic.
+# The --no-cache flag disables local caching.
+# Arguments:
+#   $1 - The source directory to back up.
+#######################################
+run_restic_backup() {
+    local source_dir="$1"
+    cd "${source_dir}"
+    log "Starting backup of '${source_dir}' to repository ${RESTIC_REPOSITORY}"
+    # Capture both stdout and stderr in a variable
+    backup_output=$(restic -r "${RESTIC_REPOSITORY}" backup --no-cache --json --verbose . 2>&1)
+    # Optionally, also print the output to the console:
+    echo "$backup_output"
+    # Parse the JSON lines output for the summary message
+    summary=$(echo "$backup_output" | jq -r 'select(.message_type=="summary") | "Snapshot " + (.snapshot_id // "none") + ": " + "files new: " + (.files_new|tostring) + ", files changed: " + (.files_changed|tostring) + ", data added: " + (.data_added|tostring) + " bytes in " + (.total_duration|tostring) + " sec"')
+    # Check exit code of restic backup (assuming restic exits non-zero on error)
+    if [ $? -eq 0 ]; then
+        msg="Backup successful. $summary"
+        log "$msg"
+        send_notification "$msg"
+    else
+        exit_code=$?
+        msg="Backup failed with error code ${exit_code}. $backup_output"
+        log "$msg"
+        send_notification "$msg"
+        exit "$exit_code"
+    fi
+}
+
+
+#######################################
+# Backup a directory (regular mode).
+#######################################
+backup_directory() {
+    run_restic_backup "${SOURCEDIR}"
+}
+
+#######################################
+# Backup a PostgreSQL database.
+# Dumps the database to a temporary directory and then backs it up.
+#######################################
+backup_postgres() {
+    log "Starting PostgreSQL backup for database '${PGDATABASE}' on host '${PGHOST}'"
+    
+    # Create a temporary directory for the database dump.
+    TEMP_BACKUP_DIR=$(mktemp -d)
+    log "Created temporary directory: ${TEMP_BACKUP_DIR}"
+
+    local dump_file="${TEMP_BACKUP_DIR}/dump.sql"
+    log "Dumping PostgreSQL database to ${dump_file}..."
+    if pg_dump -h "${PGHOST}" -p "${PGPORT}" -U "${PGUSER}" ${PG_DUMP_ARGS:-} "${PGDATABASE}" > "${dump_file}"; then
+        log "Database dump created successfully."
+    else
+        local exit_code=$?
+        local msg="PostgreSQL dump failed with error code ${exit_code}"
+        log "$msg"
+        send_notification "$msg"
+        exit "$exit_code"
+    fi
+
+    # Back up the directory containing the dump.
+    run_restic_backup "${TEMP_BACKUP_DIR}"
+}
+
+#######################################
+# Cleanup temporary resources.
+#######################################
+cleanup() {
+    if [ -n "${TEMP_BACKUP_DIR:-}" ] && [ -d "${TEMP_BACKUP_DIR}" ]; then
+        rm -rf "${TEMP_BACKUP_DIR}"
+        log "Removed temporary directory ${TEMP_BACKUP_DIR}"
+    fi
+}
+trap cleanup EXIT
+
+#######################################
+# Main routine.
+#######################################
+main() {
+    case "$BACKUP_MODE" in
+        directory)
+            backup_directory
+            ;;
+        postgres)
+            backup_postgres
+            ;;
+    esac
+}
+
+# Trap termination signals to log and exit cleanly.
+trap 'log "Script interrupted. Exiting."; exit 1' SIGINT SIGTERM
+
+main