Initial commit

README.md

@@ -0,0 +1,48 @@
+# restic-backup-sidecar
+
+Docker sidecar container for restic backups via SFTP. Runs on Alpine with restic, mariadb-client, and sqlite.
+
+## Structure
+
+```
+Dockerfile, entrypoint.sh, backup.sh   # Shared image (copy to each service's restic/ dir)
+mailcow/hooks/                         # MariaDB dump via socket
+vaultwarden/hooks/                     # SQLite .backup for vaultwarden
+gitea/hooks/                           # SQLite .backup for gitea
+```
+
+## Setup per service
+
+1. Copy `Dockerfile`, `entrypoint.sh`, `backup.sh` into `<service>/restic/`
+2. Copy the matching `hooks/` directory
+3. Create `secrets/restic_password` with a strong passphrase
+4. Create `ssh/config` (see `ssh/config.sample`), add your private key as `ssh/id_ed25519`, populate `known_hosts` via `ssh-keyscan`
+5. Create the target directory on the NAS: `mkdir -p /mnt/data/backup/admiralackbar.de/<service>`
+6. Add the sidecar service to the compose file (see compose snippets in each service dir)
+
+## Environment variables
+
+| Variable | Default | Description |
+|---|---|---|
+| `RESTIC_REPOSITORY` | — | SFTP target (`sftp:user@host:/path`) |
+| `RESTIC_PASSWORD_FILE` | — | Path to password file (use Docker secrets) |
+| `BACKUP_CRON` | `20 7 * * *` | Cron schedule |
+| `BACKUP_SOURCE` | `/mnt/source /mnt/staging` | Paths to back up |
+| `KEEP_DAILY` | `1` | Daily snapshots to keep |
+| `KEEP_WEEKLY` | `3` | Weekly snapshots to keep |
+| `KEEP_MONTHLY` | `4` | Monthly snapshots to keep |
+| `KEEP_YEARLY` | `1` | Yearly snapshots to keep |
+| `MYSQL_*` | — | MariaDB credentials (mailcow only) |
+
+## Hooks
+
+Mount scripts to `/hooks/` in the container:
+- `pre-backup.sh` — runs before `restic backup` (e.g. database dump)
+- `post-backup.sh` — runs after `restic forget --prune` (e.g. cleanup)
+
+## Manual backup / check
+
+```bash
+docker exec <container> /usr/local/bin/backup.sh
+docker exec <container> restic snapshots
+```