restic-backup-sidecar

Docker sidecar container for restic backups via SFTP. Runs on Alpine with restic, mariadb-client, and sqlite.

Structure

Dockerfile, entrypoint.sh, backup.sh   # Shared image (copy to each service's restic/ dir)
mailcow/hooks/                         # MariaDB dump via socket
vaultwarden/hooks/                     # SQLite .backup for vaultwarden
gitea/hooks/                           # SQLite .backup for gitea

Setup per service

1. Copy Dockerfile, entrypoint.sh, backup.sh into <service>/restic/
2. Copy the matching hooks/ directory
3. Create secrets/restic_password with a strong passphrase
4. Create ssh/config (see ssh/config.sample), add your private key as ssh/id_ed25519, populate known_hosts via ssh-keyscan
5. Create the target directory on the NAS: mkdir -p /path/to/your/backup/<service>
6. Add the sidecar service to the compose file (see compose snippets in each service dir)

Environment variables

Variable	Default	Description
RESTIC_REPOSITORY	—	SFTP target (sftp:user@host:/path)
RESTIC_PASSWORD_FILE	—	Path to password file (use Docker secrets)
BACKUP_CRON	20 7 * * *	Cron schedule
BACKUP_SOURCE	/mnt/source /mnt/staging	Paths to back up
KEEP_DAILY	1	Daily snapshots to keep
KEEP_WEEKLY	3	Weekly snapshots to keep
KEEP_MONTHLY	4	Monthly snapshots to keep
KEEP_YEARLY	1	Yearly snapshots to keep
MYSQL_*	—	MariaDB credentials (mailcow only)

Hooks

Mount scripts to /hooks/ in the container:

• pre-backup.sh — runs before restic backup (e.g. database dump)
• post-backup.sh — runs after restic forget --prune (e.g. cleanup)

Manual backup / check

docker exec <container> /usr/local/bin/backup.sh
docker exec <container> restic snapshots