# restic-backup-sidecar

Docker sidecar container for restic backups via SFTP. Runs on Alpine with restic, mariadb-client, and sqlite.

## Structure

```
Dockerfile, entrypoint.sh, backup.sh   # Shared image (copy to each service's restic/ dir)
mailcow/hooks/                         # MariaDB dump via socket
vaultwarden/hooks/                     # SQLite .backup for vaultwarden
gitea/hooks/                           # SQLite .backup for gitea
```

## Setup per service

1. Copy `Dockerfile`, `entrypoint.sh`, `backup.sh` into `<service>/restic/`
2. Copy the matching `hooks/` directory
3. Create `secrets/restic_password` with a strong passphrase
4. Create `ssh/config` (see `ssh/config.sample`), add your private key as `ssh/id_ed25519`, populate `known_hosts` via `ssh-keyscan`
5. Create the target directory on the NAS: `mkdir -p /mnt/data/backup/admiralackbar.de/<service>`
6. Add the sidecar service to the compose file (see compose snippets in each service dir)

## Environment variables

| Variable | Default | Description |
|---|---|---|
| `RESTIC_REPOSITORY` | — | SFTP target (`sftp:user@host:/path`) |
| `RESTIC_PASSWORD_FILE` | — | Path to password file (use Docker secrets) |
| `BACKUP_CRON` | `20 7 * * *` | Cron schedule |
| `BACKUP_SOURCE` | `/mnt/source /mnt/staging` | Paths to back up |
| `KEEP_DAILY` | `1` | Daily snapshots to keep |
| `KEEP_WEEKLY` | `3` | Weekly snapshots to keep |
| `KEEP_MONTHLY` | `4` | Monthly snapshots to keep |
| `KEEP_YEARLY` | `1` | Yearly snapshots to keep |
| `MYSQL_*` | — | MariaDB credentials (mailcow only) |

## Hooks

Mount scripts to `/hooks/` in the container:
- `pre-backup.sh` — runs before `restic backup` (e.g. database dump)
- `post-backup.sh` — runs after `restic forget --prune` (e.g. cleanup)

## Manual backup / check

```bash
docker exec <container> /usr/local/bin/backup.sh
docker exec <container> restic snapshots
```