Change default value for SSH identity file (#108)

* Change default value for SSH identity file

* Force remove write protected file in tests

.circleci/config.yml

@@ -48,6 +48,7 @@ jobs:
             if [[ "$CIRCLE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
               # prerelease tags like `v2.0.0-alpha.1` should not be released as `latest`
               tag_args="$tag_args -t offen/docker-volume-backup:latest"
+              tag_args="$tag_args -t offen/docker-volume-backup:$(echo "$CIRCLE_TAG" | cut -d. -f1)"
             fi
             docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 \
                $tag_args . --push

Dockerfile

@@ -1,7 +1,7 @@
 # Copyright 2021 - Offen Authors <hioffen@posteo.de>
 # SPDX-License-Identifier: MPL-2.0
 
-FROM golang:1.17-alpine as builder
+FROM golang:1.18-alpine as builder
 
 WORKDIR /app
 COPY go.mod go.sum ./

README.md

@@ -7,7 +7,7 @@
 Backup Docker volumes locally or to any S3 compatible storage.
 
 The [offen/docker-volume-backup](https://hub.docker.com/r/offen/docker-volume-backup) Docker image can be used as a lightweight (below 15MB) sidecar container to an existing Docker setup.
-It handles __recurring or one-off backups of Docker volumes__ to a __local directory__, __any S3 or WebDAV compatible storage (or any combination) and rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for failed backup runs__.
+It handles __recurring or one-off backups of Docker volumes__ to a __local directory__, __any S3, WebDAV or SSH compatible storage (or any combination) and rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for failed backup runs__.
 
 <!-- MarkdownTOC -->
 
@@ -27,13 +27,16 @@ It handles __recurring or one-off backups of Docker volumes__ to a __local direc
   - [Using with Docker Swarm](#using-with-docker-swarm)
   - [Manually triggering a backup](#manually-triggering-a-backup)
   - [Update deprecated email configuration](#update-deprecated-email-configuration)
+  - [Replace deprecated `BACKUP_FROM_SNAPSHOT` usage](#replace-deprecated-backup_from_snapshot-usage)
   - [Using a custom Docker host](#using-a-custom-docker-host)
   - [Run multiple backup schedules in the same container](#run-multiple-backup-schedules-in-the-same-container)
+  - [Define different retention schedules](#define-different-retention-schedules)
 - [Recipes](#recipes)
   - [Backing up to AWS S3](#backing-up-to-aws-s3)
   - [Backing up to Filebase](#backing-up-to-filebase)
   - [Backing up to MinIO](#backing-up-to-minio)
   - [Backing up to WebDAV](#backing-up-to-webdav)
+  - [Backing up to SSH](#backing-up-to-ssh)
   - [Backing up locally](#backing-up-locally)
   - [Backing up to AWS S3 as well as locally](#backing-up-to-aws-s3-as-well-as-locally)
   - [Running on a custom cron schedule](#running-on-a-custom-cron-schedule)
@@ -107,7 +110,7 @@ docker run --rm \
   --env AWS_SECRET_ACCESS_KEY="<xxx>" \
   --env AWS_S3_BUCKET_NAME="<xxx>" \
   --entrypoint backup \
-  offen/docker-volume-backup:latest
+  offen/docker-volume-backup:v2
 ```
 
 Alternatively, pass a `--env-file` in order to use a full config as described below.
@@ -149,6 +152,11 @@ You can populate below template according to your requirements and use it as you
 
 # BACKUP_LATEST_SYMLINK="backup.latest.tar.gz"
 
+# ************************************************************************
+# The BACKUP_FROM_SNAPSHOT option has been deprecated and will be removed
+# in the next major version. Please use exec-pre and exec-post
+# as documented below instead.
+# ************************************************************************
 # Whether to copy the content of backup folder before creating the tar archive.
 # In the rare scenario where the content of the source backup volume is continously
 # updating, but we do not wish to stop the container while performing the backup,
@@ -161,6 +169,12 @@ You can populate below template according to your requirements and use it as you
 
 # BACKUP_SOURCES="/other/location"
 
+# When given, all files in BACKUP_SOURCES whose full path matches the given
+# regular expression will be excluded from the archive. Regular Expressions
+# can be used as from the Go standard library https://pkg.go.dev/regexp
+
+# BACKUP_EXCLUDE_REGEXP="\.log$"
+
 ########### BACKUP STORAGE
 
 # The name of the remote bucket that should be used for storing backups. If
@@ -201,9 +215,9 @@ You can populate below template according to your requirements and use it as you
 # AWS_ENDPOINT_PROTO="https"
 
 # Setting this variable to `true` will disable verification of
-# SSL certificates. You shouldn't use this unless you use self-signed
-# certificates for your remote storage backend. This can only be used
-# when AWS_ENDPOINT_PROTO is set to `https`.
+# SSL certificates for AWS_ENDPOINT. You shouldn't use this unless you use
+# self-signed certificates for your remote storage backend. This can only be
+# used when AWS_ENDPOINT_PROTO is set to `https`.
 
 # AWS_ENDPOINT_INSECURE="true"
 
@@ -226,6 +240,46 @@ You can populate below template according to your requirements and use it as you
 
 # WEBDAV_PASSWORD="password"
 
+# Setting this variable to `true` will disable verification of
+# SSL certificates for WEBDAV_URL. You shouldn't use this unless you use
+# self-signed certificates for your remote storage backend.
+
+# WEBDAV_URL_INSECURE="true"
+
+# You can also backup files to any SSH server:
+
+# The URL of the remote SSH server
+
+# SSH_HOST_NAME="server.local"
+
+# The port of the remote SSH server
+# Optional variable default value is `22`
+
+# SSH_PORT=2222
+
+# The Directory to place the backups to on the SSH server.
+
+# SSH_REMOTE_PATH="/my/directory/"
+
+# The username for the SSH server
+
+# SSH_USER="user"
+
+# The password for the SSH server
+
+# SSH_PASSWORD="password"
+
+# The private key path in container for SSH server
+# Default value: /root/.ssh/id_rsa
+# If file is mounted to /root/.ssh/id_rsa path it will be used. Non-RSA keys will
+# also work.
+
+# SSH_IDENTITY_FILE="/root/.ssh/id_rsa"
+
+# The passphrase for the identity file
+
+# SSH_IDENTITY_PASSPHRASE="pass"
+
 # In addition to storing backups remotely, you can also keep local copies.
 # Pass a container-local path to store your backups if needed. You also need to
 # mount a local folder or Docker volume into that location (`/archive`
@@ -335,6 +389,16 @@ You can populate below template according to your requirements and use it as you
 
 # DOCKER_HOST="tcp://docker_socket_proxy:2375"
 
+########### LOCK_TIMEOUT
+
+# In the case of overlapping cron schedules run by the same container,
+# subsequent invocations will wait for previous runs to finish before starting.
+# By default, this will time out and fail in case the lock could not be acquired
+# after 60 minutes. In case you need to adjust this timeout, supply a duration
+# value as per https://pkg.go.dev/time#ParseDuration to `LOCK_TIMEOUT`
+
+# LOCK_TIMEOUT="60m"
+
 ########### EMAIL NOTIFICATIONS
 
 # ************************************************************************
@@ -366,7 +430,7 @@ You can populate below template according to your requirements and use it as you
 # EMAIL_SMTP_PORT="<port>"
 ```
 
-In case you encouter double quoted values in your configuration you might be running an [older version of `docker-compose`].
+In case you encouter double quoted values in your configuration you might be running an [older version of `docker-compose`][compose-issue].
 You can work around this by either updating `docker-compose` or unquoting your configuration values.
 
 [compose-issue]: https://github.com/docker/compose/issues/2854
@@ -391,7 +455,7 @@ services:
       - docker-volume-backup.stop-during-backup=service1
 
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
       BACKUP_STOP_CONTAINER_LABEL: service1
     volumes:
@@ -414,7 +478,7 @@ version: '3'
 services:
   # ... define other services using the `data` volume here
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
       BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
       BACKUP_PRUNING_PREFIX: backup-
@@ -437,7 +501,7 @@ version: '3'
 
 services:
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
       # ... other configuration values go here
       NOTIFICATION_URLS=smtp://me:secret@smtp.example.com:587/?fromAddress=no-reply@example.com&toAddresses=you@example.com
@@ -515,7 +579,7 @@ services:
       - docker-volume-backup.exec-label=database
 
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
       EXEC_LABEL: database
     volumes:
@@ -592,7 +656,7 @@ version: '3'
 
 services:
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     volumes:
       - data:/backup/my-app-backup:ro
       - /etc/timezone:/etc/timezone:ro
@@ -615,7 +679,7 @@ When running in Swarm mode, it's also advised to set a hard memory limit on your
 ```yml
 services:
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     deployment:
       resources:
         limits:
@@ -650,6 +714,37 @@ After:
 NOTIFICATION_URLS=smtp://me:secret@posteo.de:587/?fromAddress=no-reply@example.com&toAddresses=you@example.com
 ```
 
+### Replace deprecated `BACKUP_FROM_SNAPSHOT` usage
+
+Starting with version 2.15.0, the `BACKUP_FROM_SNAPSHOT` feature has been deprecated.
+If you need to prepare your sources before the backup is taken, use `exec-pre`, `exec-post` and an intermediate volume:
+
+```yml
+version: '3'
+
+services:
+  my_app:
+    build: .
+    volumes:
+      - data:/var/my_app
+      - backup:/tmp/backup
+    labels:
+      - docker-volume-backup.exec-pre=cp -r /var/my_app /tmp/backup/my-app
+      - docker-volume-backup.exec-post=rm -rf /tmp/backup/my-app
+
+  backup:
+    image: offen/docker-volume-backup:latest
+    environment:
+      BACKUP_SOURCES: /tmp/backup
+    volumes:
+      - backup:/backup:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+volumes:
+  data:
+  backup:
+```
+
 ### Using a custom Docker host
 
 If you are interfacing with Docker via TCP, set `DOCKER_HOST` to the correct URL.
@@ -669,7 +764,7 @@ version: '3'
 services:
   # ... define other services using the `data` volume here
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     volumes:
       - data:/backup/my-app-backup:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -681,10 +776,44 @@ volumes:
 
 A separate cronjob will be created for each config file.
 If a configuration value is set both in the global environment as well as in the config file, the config file will take precedence.
-The `backup` command expects to run on an exclusive lock, so it is your responsibility to make sure the invocations do not overlap.
+The `backup` command expects to run on an exclusive lock, so in case you provide the same or overlapping schedules in your cron expressions, the runs will still be executed serially, one after the other.
+The exact order of schedules that use the same cron expression is not specified.
 In case you need your schedules to overlap, you need to create a dedicated container for each schedule instead.
 When changing the configuration, you currently need to manually restart the container for the changes to take effect.
 
+### Define different retention schedules
+
+If you want to manage backup retention on different schedules, the most straight forward approach is to define a dedicated configuration for retention rule using a different prefix in the `BACKUP_FILENAME` parameter and then run them on different cron schedules.
+
+For example, if you wanted to keep daily backups for 7 days, weekly backups for a month, and retain monthly backups forever, you could create three configuration files and mount them into `/etc/dockervolumebackup.d`:
+
+```ini
+# 01daily.conf
+BACKUP_FILENAME="daily-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
+# run every day at 2am
+BACKUP_CRON_EXPRESSION="0 2 * * *"
+BACKUP_PRUNING_PREFIX="daily-backup-"
+BACKUP_RETENTION_DAYS="7"
+```
+
+```ini
+# 02weekly.conf
+BACKUP_FILENAME="weekly-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
+# run every monday at 3am
+BACKUP_CRON_EXPRESSION="0 3 * * 1"
+BACKUP_PRUNING_PREFIX="weekly-backup-"
+BACKUP_RETENTION_DAYS="31"
+```
+
+```ini
+# 03monthly.conf
+BACKUP_FILENAME="monthly-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
+# run every 1st of a month at 4am
+BACKUP_CRON_EXPRESSION="0 4 1 * *"
+```
+
+Note that while it's possible to define colliding cron schedules for each of these configurations, you might need to adjust the value for `LOCK_TIMEOUT` in case your backups are large and might take longer than an hour.
+
 ## Recipes
 
 This section lists configuration for some real-world use cases that you can mix and match according to your needs.
@@ -697,9 +826,9 @@ version: '3'
 services:
   # ... define other services using the `data` volume here
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
-      AWS_BUCKET_NAME: backup-bucket
+      AWS_S3_BUCKET_NAME: backup-bucket
       AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
       AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
     volumes:
@@ -718,10 +847,10 @@ version: '3'
 services:
   # ... define other services using the `data` volume here
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
       AWS_ENDPOINT: s3.filebase.com
-      AWS_BUCKET_NAME: filebase-bucket
+      AWS_S3_BUCKET_NAME: filebase-bucket
       AWS_ACCESS_KEY_ID: FILEBASE-ACCESS-KEY
       AWS_SECRET_ACCESS_KEY: FILEBASE-SECRET-KEY
     volumes:
@@ -740,10 +869,10 @@ version: '3'
 services:
   # ... define other services using the `data` volume here
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
       AWS_ENDPOINT: minio.example.com
-      AWS_BUCKET_NAME: backup-bucket
+      AWS_S3_BUCKET_NAME: backup-bucket
       AWS_ACCESS_KEY_ID: MINIOACCESSKEY
       AWS_SECRET_ACCESS_KEY: MINIOSECRETKEY
     volumes:
@@ -762,7 +891,7 @@ version: '3'
 services:
   # ... define other services using the `data` volume here
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
       WEBDAV_URL: https://webdav.mydomain.me
       WEBDAV_PATH: /my/directory/
@@ -776,6 +905,29 @@ volumes:
   data:
 ```
 
+### Backing up to SSH
+
+```yml
+version: '3'
+
+services:
+  # ... define other services using the `data` volume here
+  backup:
+    image: offen/docker-volume-backup:v2
+    environment:
+      SSH_HOST_NAME: server.local
+      SSH_PORT: 2222
+      SSH_USER: user
+      SSH_REMOTE_PATH: /data
+    volumes:
+      - data:/backup/my-app-backup:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /path/to/private_key:/root/.ssh/id
+
+volumes:
+  data:
+```
+
 ### Backing up locally
 
 ```yml
@@ -784,7 +936,7 @@ version: '3'
 services:
   # ... define other services using the `data` volume here
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
       BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
       BACKUP_LATEST_SYMLINK: backup-latest.tar.gz
@@ -805,9 +957,9 @@ version: '3'
 services:
   # ... define other services using the `data` volume here
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
-      AWS_BUCKET_NAME: backup-bucket
+      AWS_S3_BUCKET_NAME: backup-bucket
       AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
       AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
     volumes:
@@ -827,11 +979,11 @@ version: '3'
 services:
   # ... define other services using the `data` volume here
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
       # take a backup on every hour
       BACKUP_CRON_EXPRESSION: "0 * * * *"
-      AWS_BUCKET_NAME: backup-bucket
+      AWS_S3_BUCKET_NAME: backup-bucket
       AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
       AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
     volumes:
@@ -850,9 +1002,9 @@ version: '3'
 services:
   # ... define other services using the `data` volume here
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
-      AWS_BUCKET_NAME: backup-bucket
+      AWS_S3_BUCKET_NAME: backup-bucket
       AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
       AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
       BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
@@ -874,9 +1026,9 @@ version: '3'
 services:
   # ... define other services using the `data` volume here
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
-      AWS_BUCKET_NAME: backup-bucket
+      AWS_S3_BUCKET_NAME: backup-bucket
       AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
       AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
       GPG_PASSPHRASE: somesecretstring
@@ -901,7 +1053,7 @@ services:
     volumes:
       - app_data:/tmp/dumps
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
       BACKUP_FILENAME: db.tar.gz
       BACKUP_CRON_EXPRESSION: "0 2 * * *"
@@ -922,10 +1074,10 @@ version: '3'
 services:
   # ... define other services using the `data_1` and `data_2` volumes here
   backup_1: &backup_service
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment: &backup_environment
       BACKUP_CRON_EXPRESSION: "0 2 * * *"
-      AWS_BUCKET_NAME: backup-bucket
+      AWS_S3_BUCKET_NAME: backup-bucket
       AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
       AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
       # Label the container using the `data_1` volume as `docker-volume-backup.stop-during-backup=service1`

cmd/backup/archive.go

@@ -11,14 +11,13 @@ import (
 	"compress/gzip"
 	"fmt"
 	"io"
-	"io/fs"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 )
 
-func createArchive(inputFilePath, outputFilePath string) error {
+func createArchive(files []string, inputFilePath, outputFilePath string) error {
 	inputFilePath = stripTrailingSlashes(inputFilePath)
 	inputFilePath, outputFilePath, err := makeAbsolute(inputFilePath, outputFilePath)
 	if err != nil {
@@ -28,7 +27,7 @@ func createArchive(inputFilePath, outputFilePath string) error {
 		return fmt.Errorf("createArchive: error creating output file path: %w", err)
 	}
 
-	if err := compress(inputFilePath, outputFilePath, filepath.Dir(inputFilePath)); err != nil {
+	if err := compress(files, outputFilePath, filepath.Dir(inputFilePath)); err != nil {
 		return fmt.Errorf("createArchive: error creating archive: %w", err)
 	}
 
@@ -52,7 +51,7 @@ func makeAbsolute(inputFilePath, outputFilePath string) (string, string, error)
 	return inputFilePath, outputFilePath, err
 }
 
-func compress(inPath, outFilePath, subPath string) error {
+func compress(paths []string, outFilePath, subPath string) error {
 	file, err := os.Create(outFilePath)
 	if err != nil {
 		return fmt.Errorf("compress: error creating out file: %w", err)
@@ -62,14 +61,6 @@ func compress(inPath, outFilePath, subPath string) error {
 	gzipWriter := gzip.NewWriter(file)
 	tarWriter := tar.NewWriter(gzipWriter)
 
-	var paths []string
-	if err := filepath.WalkDir(inPath, func(path string, di fs.DirEntry, err error) error {
-		paths = append(paths, path)
-		return err
-	}); err != nil {
-		return fmt.Errorf("compress: error walking filesystem tree: %w", err)
-	}
-
 	for _, p := range paths {
 		if err := writeTarGz(p, tarWriter, prefix); err != nil {
 			return fmt.Errorf("compress error writing %s to archive: %w", p, err)

cmd/backup/config.go

@@ -3,7 +3,11 @@
 
 package main
 
-import "time"
+import (
+	"fmt"
+	"regexp"
+	"time"
+)
 
 // Config holds all configuration values that are expected to be set
 // by users.
@@ -18,6 +22,7 @@ type Config struct {
 	BackupPruningPrefix        string        `split_words:"true"`
 	BackupStopContainerLabel   string        `split_words:"true" default:"true"`
 	BackupFromSnapshot         bool          `split_words:"true"`
+	BackupExcludeRegexp        RegexpDecoder `split_words:"true"`
 	AwsS3BucketName            string        `split_words:"true"`
 	AwsS3Path                  string        `split_words:"true"`
 	AwsEndpoint                string        `split_words:"true" default:"s3.amazonaws.com"`
@@ -36,9 +41,34 @@ type Config struct {
 	EmailSMTPUsername          string        `envconfig:"EMAIL_SMTP_USERNAME"`
 	EmailSMTPPassword          string        `envconfig:"EMAIL_SMTP_PASSWORD"`
 	WebdavUrl                  string        `split_words:"true"`
+	WebdavUrlInsecure          bool          `split_words:"true"`
 	WebdavPath                 string        `split_words:"true" default:"/"`
 	WebdavUsername             string        `split_words:"true"`
 	WebdavPassword             string        `split_words:"true"`
+	SSHHostName                string        `split_words:"true"`
+	SSHPort                    string        `split_words:"true" default:"22"`
+	SSHUser                    string        `split_words:"true"`
+	SSHPassword                string        `split_words:"true"`
+	SSHIdentityFile            string        `split_words:"true" default:"/root/.ssh/id_rsa"`
+	SSHIdentityPassphrase      string        `split_words:"true"`
+	SSHRemotePath              string        `split_words:"true"`
 	ExecLabel                  string        `split_words:"true"`
 	ExecForwardOutput          bool          `split_words:"true"`
+	LockTimeout                time.Duration `split_words:"true" default:"60m"`
+}
+
+type RegexpDecoder struct {
+	Re *regexp.Regexp
+}
+
+func (r *RegexpDecoder) Decode(v string) error {
+	if v == "" {
+		return nil
+	}
+	re, err := regexp.Compile(v)
+	if err != nil {
+		return fmt.Errorf("config: error compiling given regexp `%s`: %w", v, err)
+	}
+	*r = RegexpDecoder{Re: re}
+	return nil
 }

cmd/backup/exec.go

@@ -13,12 +13,12 @@ import (
 	"io/ioutil"
 	"os"
 	"strings"
-	"sync"
 
 	"github.com/cosiner/argv"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/pkg/stdcopy"
+	"golang.org/x/sync/errgroup"
 )
 
 func (s *script) exec(containerRef string, command string) ([]byte, []byte, error) {
@@ -97,29 +97,27 @@ func (s *script) runLabeledCommands(label string) error {
 		return nil
 	}
 
-	wg := sync.WaitGroup{}
-	wg.Add(len(containersWithCommand))
+	g := new(errgroup.Group)
 
-	var cmdErrors []error
 	for _, container := range containersWithCommand {
-		go func(c types.Container) {
+		c := container
+		g.Go(func() error {
 			cmd, _ := c.Labels[label]
 			s.logger.Infof("Running %s command %s for container %s", label, cmd, strings.TrimPrefix(c.Names[0], "/"))
 			stdout, stderr, err := s.exec(c.ID, cmd)
-			if err != nil {
-				cmdErrors = append(cmdErrors, err)
-			}
 			if s.c.ExecForwardOutput {
 				os.Stderr.Write(stderr)
 				os.Stdout.Write(stdout)
 			}
-			wg.Done()
-		}(container)
+			if err != nil {
+				return fmt.Errorf("runLabeledCommands: error executing command: %w", err)
+			}
+			return nil
+		})
 	}
 
-	wg.Wait()
-	if len(cmdErrors) != 0 {
-		return join(cmdErrors...)
+	if err := g.Wait(); err != nil {
+		return fmt.Errorf("runLabeledCommands: error from errgroup: %w", err)
 	}
 	return nil
 }

cmd/backup/lock.go

@@ -0,0 +1,58 @@
+// Copyright 2022 - Offen Authors <hioffen@posteo.de>
+// SPDX-License-Identifier: MPL-2.0
+
+package main
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/gofrs/flock"
+)
+
+// lock opens a lockfile at the given location, keeping it locked until the
+// caller invokes the returned release func. In case the lock is currently blocked
+// by another execution, it will repeatedly retry until the lock is available
+// or the given timeout is exceeded.
+func (s *script) lock(lockfile string) (func() error, error) {
+	start := time.Now()
+	defer func() {
+		s.stats.LockedTime = time.Now().Sub(start)
+	}()
+
+	retry := time.NewTicker(5 * time.Second)
+	defer retry.Stop()
+	deadline := time.NewTimer(s.c.LockTimeout)
+	defer deadline.Stop()
+
+	fileLock := flock.New(lockfile)
+
+	for {
+		acquired, err := fileLock.TryLock()
+		if err != nil {
+			return noop, fmt.Errorf("lock: error trying lock: %w", err)
+		}
+		if acquired {
+			if s.encounteredLock {
+				s.logger.Info("Acquired exclusive lock on subsequent attempt, ready to continue.")
+			}
+			return fileLock.Unlock, nil
+		}
+
+		if !s.encounteredLock {
+			s.logger.Infof(
+				"Exclusive lock was not available on first attempt. Will retry until it becomes available or the timeout of %s is exceeded.",
+				s.c.LockTimeout,
+			)
+			s.encounteredLock = true
+		}
+
+		select {
+		case <-retry.C:
+			continue
+		case <-deadline.C:
+			return noop, errors.New("lock: timed out waiting for lockfile to become available")
+		}
+	}
+}

cmd/backup/main.go

@@ -8,14 +8,15 @@ import (
 )
 
 func main() {
-	unlock := lock("/var/lock/dockervolumebackup.lock")
-	defer unlock()
-
 	s, err := newScript()
 	if err != nil {
 		panic(err)
 	}
 
+	unlock, err := s.lock("/var/lock/dockervolumebackup.lock")
+	defer unlock()
+	s.must(err)
+
 	defer func() {
 		if pArg := recover(); pArg != nil {
 			if err, ok := pArg.(error); ok {

cmd/backup/script.go

@@ -7,8 +7,12 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"github.com/pkg/sftp"
+	"golang.org/x/crypto/ssh"
 	"io"
 	"io/fs"
+	"io/ioutil"
+	"net/http"
 	"os"
 	"path"
 	"path/filepath"
@@ -38,6 +42,8 @@ type script struct {
 	cli          *client.Client
 	minioClient  *minio.Client
 	webdavClient *gowebdav.Client
+	sshClient    *ssh.Client
+	sftpClient   *sftp.Client
 	logger       *logrus.Logger
 	sender       *router.ServiceRouter
 	template     *template.Template
@@ -47,6 +53,8 @@ type script struct {
 	file  string
 	stats *Stats
 
+	encounteredLock bool
+
 	c *Config
 }
 
@@ -144,6 +152,66 @@ func newScript() (*script, error) {
 		} else {
 			webdavClient := gowebdav.NewClient(s.c.WebdavUrl, s.c.WebdavUsername, s.c.WebdavPassword)
 			s.webdavClient = webdavClient
+			if s.c.WebdavUrlInsecure {
+				defaultTransport, ok := http.DefaultTransport.(*http.Transport)
+				if !ok {
+					return nil, errors.New("newScript: unexpected error when asserting type for http.DefaultTransport")
+				}
+				webdavTransport := defaultTransport.Clone()
+				webdavTransport.TLSClientConfig.InsecureSkipVerify = s.c.WebdavUrlInsecure
+				s.webdavClient.SetTransport(webdavTransport)
+			}
+		}
+	}
+
+	if s.c.SSHHostName != "" {
+		var authMethods []ssh.AuthMethod
+
+		if s.c.SSHPassword != "" {
+			authMethods = append(authMethods, ssh.Password(s.c.SSHPassword))
+		}
+
+		if _, err := os.Stat(s.c.SSHIdentityFile); err == nil {
+			key, err := ioutil.ReadFile(s.c.SSHIdentityFile)
+			if err != nil {
+				return nil, errors.New("newScript: error reading the private key")
+			}
+
+			var signer ssh.Signer
+			if s.c.SSHIdentityPassphrase != "" {
+				signer, err = ssh.ParsePrivateKeyWithPassphrase(key, []byte(s.c.SSHIdentityPassphrase))
+				if err != nil {
+					return nil, errors.New("newScript: error parsing the encrypted private key")
+				}
+				authMethods = append(authMethods, ssh.PublicKeys(signer))
+			} else {
+				signer, err = ssh.ParsePrivateKey(key)
+				if err != nil {
+					return nil, errors.New("newScript: error parsing the private key")
+				}
+				authMethods = append(authMethods, ssh.PublicKeys(signer))
+			}
+		}
+
+		sshClientConfig := &ssh.ClientConfig{
+			User:            s.c.SSHUser,
+			Auth:            authMethods,
+			HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		}
+		sshClient, err := ssh.Dial("tcp", fmt.Sprintf("%s:%s", s.c.SSHHostName, s.c.SSHPort), sshClientConfig)
+		s.sshClient = sshClient
+		if err != nil {
+			return nil, fmt.Errorf("newScript: error creating ssh client: %w", err)
+		}
+		_, _, err = s.sshClient.SendRequest("keepalive", false, nil)
+		if err != nil {
+			return nil, err
+		}
+
+		sftpClient, err := sftp.NewClient(sshClient)
+		s.sftpClient = sftpClient
+		if err != nil {
+			return nil, fmt.Errorf("newScript: error creating sftp client: %w", err)
 		}
 	}
 
@@ -354,6 +422,12 @@ func (s *script) takeBackup() error {
 	backupSources := s.c.BackupSources
 
 	if s.c.BackupFromSnapshot {
+		s.logger.Warn(
+			"Using BACKUP_FROM_SNAPSHOT has been deprecated and will be removed in the next major version.",
+		)
+		s.logger.Warn(
+			"Please use `exec-pre` and `exec-post` commands to prepare your backup sources. Refer to the README for an upgrade guide.",
+		)
 		backupSources = filepath.Join("/tmp", s.c.BackupSources)
 		// copy before compressing guard against a situation where backup folder's content are still growing.
 		s.registerHook(hookLevelPlumbing, func(error) error {
@@ -380,7 +454,28 @@ func (s *script) takeBackup() error {
 		s.logger.Infof("Removed tar file `%s`.", tarFile)
 		return nil
 	})
-	if err := createArchive(backupSources, tarFile); err != nil {
+
+	backupPath, err := filepath.Abs(stripTrailingSlashes(backupSources))
+	if err != nil {
+		return fmt.Errorf("takeBackup: error getting absolute path: %w", err)
+	}
+
+	var filesEligibleForBackup []string
+	if err := filepath.WalkDir(backupPath, func(path string, di fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+
+		if s.c.BackupExcludeRegexp.Re != nil && s.c.BackupExcludeRegexp.Re.MatchString(path) {
+			return nil
+		}
+		filesEligibleForBackup = append(filesEligibleForBackup, path)
+		return nil
+	}); err != nil {
+		return fmt.Errorf("compress: error walking filesystem tree: %w", err)
+	}
+
+	if err := createArchive(filesEligibleForBackup, backupSources, tarFile); err != nil {
 		return fmt.Errorf("takeBackup: error compressing backup folder: %w", err)
 	}
 
@@ -473,6 +568,52 @@ func (s *script) copyBackup() error {
 		s.logger.Infof("Uploaded a copy of backup `%s` to WebDAV-URL '%s' at path '%s'.", s.file, s.c.WebdavUrl, s.c.WebdavPath)
 	}
 
+	if s.sshClient != nil {
+		source, err := os.Open(s.file)
+		if err != nil {
+			return fmt.Errorf("copyBackup: error reading the file to be uploaded: %w", err)
+		}
+		defer source.Close()
+
+		destination, err := s.sftpClient.Create(filepath.Join(s.c.SSHRemotePath, name))
+		if err != nil {
+			return fmt.Errorf("copyBackup: error creating file on SSH storage: %w", err)
+		}
+		defer destination.Close()
+
+		chunk := make([]byte, 1000000)
+		for {
+			num, err := source.Read(chunk)
+			if err == io.EOF {
+				tot, err := destination.Write(chunk[:num])
+				if err != nil {
+					return fmt.Errorf("copyBackup: error uploading the file to SSH storage: %w", err)
+				}
+
+				if tot != len(chunk[:num]) {
+					return fmt.Errorf("sshClient: failed to write stream")
+				}
+
+				break
+			}
+
+			if err != nil {
+				return fmt.Errorf("copyBackup: error uploading the file to SSH storage: %w", err)
+			}
+
+			tot, err := destination.Write(chunk[:num])
+			if err != nil {
+				return fmt.Errorf("copyBackup: error uploading the file to SSH storage: %w", err)
+			}
+
+			if tot != len(chunk[:num]) {
+				return fmt.Errorf("sshClient: failed to write stream")
+			}
+		}
+
+		s.logger.Infof("Uploaded a copy of backup `%s` to SSH storage '%s' at path '%s'.", s.file, s.c.SSHHostName, s.c.SSHRemotePath)
+	}
+
 	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
 		if err := copyFile(s.file, path.Join(s.c.BackupArchive, name)); err != nil {
 			return fmt.Errorf("copyBackup: error copying file to local archive: %w", err)
@@ -528,7 +669,8 @@ func (s *script) pruneBackups() error {
 	if s.minioClient != nil {
 		candidates := s.minioClient.ListObjects(context.Background(), s.c.AwsS3BucketName, minio.ListObjectsOptions{
 			WithMetadata: true,
-			Prefix:       s.c.BackupPruningPrefix,
+			Prefix:       filepath.Join(s.c.AwsS3Path, s.c.BackupPruningPrefix),
+			Recursive:    true,
 		})
 
 		var matches []minio.ObjectInfo
@@ -605,6 +747,37 @@ func (s *script) pruneBackups() error {
 		})
 	}
 
+	if s.sshClient != nil {
+		candidates, err := s.sftpClient.ReadDir(s.c.SSHRemotePath)
+		if err != nil {
+			return fmt.Errorf("pruneBackups: error reading directory from SSH storage: %w", err)
+		}
+
+		var matches []string
+		for _, candidate := range candidates {
+			if !strings.HasPrefix(candidate.Name(), s.c.BackupPruningPrefix) {
+				continue
+			}
+			if candidate.ModTime().Before(deadline) {
+				matches = append(matches, candidate.Name())
+			}
+		}
+
+		s.stats.Storages.SSH = StorageStats{
+			Total:  uint(len(candidates)),
+			Pruned: uint(len(matches)),
+		}
+
+		doPrune(len(matches), len(candidates), "SSH backup(s)", func() error {
+			for _, match := range matches {
+				if err := s.sftpClient.Remove(filepath.Join(s.c.SSHRemotePath, match)); err != nil {
+					return fmt.Errorf("pruneBackups: error removing file from SSH storage: %w", err)
+				}
+			}
+			return nil
+		})
+	}
+
 	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
 		globPattern := path.Join(
 			s.c.BackupArchive,

cmd/backup/stats.go

@@ -30,10 +30,11 @@ type StorageStats struct {
 	PruneErrors uint
 }
 
-// StoragesStats stats about each possible archival location (Local, WebDAV, S3)
+// StoragesStats stats about each possible archival location (Local, WebDAV, SSH, S3)
 type StoragesStats struct {
 	Local  StorageStats
 	WebDAV StorageStats
+	SSH    StorageStats
 	S3     StorageStats
 }
 
@@ -42,6 +43,7 @@ type Stats struct {
 	StartTime  time.Time
 	EndTime    time.Time
 	TookTime   time.Duration
+	LockedTime time.Duration
 	LogOutput  *bytes.Buffer
 	Containers ContainersStats
 	BackupFile BackupFileStats

cmd/backup/util.go

@@ -10,27 +10,10 @@ import (
 	"io"
 	"os"
 	"strings"
-
-	"github.com/gofrs/flock"
 )
 
 var noop = func() error { return nil }
 
-// lock opens a lockfile at the given location, keeping it locked until the
-// caller invokes the returned release func. When invoked while the file is
-// still locked the function panics.
-func lock(lockfile string) func() error {
-	fileLock := flock.New(lockfile)
-	acquired, err := fileLock.TryLock()
-	if err != nil {
-		panic(err)
-	}
-	if !acquired {
-		panic("unable to acquire file lock")
-	}
-	return fileLock.Unlock
-}
-
 // copy creates a copy of the file located at `dst` at `src`.
 func copyFile(src, dst string) error {
 	in, err := os.Open(src)

docs/NOTIFICATION-TEMPLATES.md

@@ -13,6 +13,7 @@ Here is a list of all data passed to the template:
   * `StartTime`: time when the script started execution
   * `EndTime`: time when the backup has completed successfully (after pruning)
   * `TookTime`: amount of time it took for the backup to run. (equal to `EndTime - StartTime`)
+  * `LockedTime`: amount of time it took for the backup to acquire the exclusive lock
   * `LogOutput`: full log of the application
   * `Containers`: object containing stats about the docker containers
     * `All`: total number of containers
@@ -24,7 +25,7 @@ Here is a list of all data passed to the template:
     * `FullPath`: full path of the backup file (e.g. `/archive/backup-2022-02-11T01-00-00.tar.gz`)
     * `Size`: size in bytes of the backup file
   * `Storages`: object that holds stats about each storage
-    * `Local`, `S3` or `WebDAV`:
+    * `Local`, `S3`, `WebDAV` or `SSH`:
       * `Total`: total number of backup files
       * `Pruned`: number of backup files that were deleted due to pruning rule
       * `PruneErrors`: number of backup files that were unable to be pruned

go.mod

@@ -1,6 +1,6 @@
 module github.com/offen/docker-volume-backup
 
-go 1.17
+go 1.18
 
 require (
 	github.com/containrrr/shoutrrr v0.5.2
@@ -11,14 +11,16 @@ require (
 	github.com/leekchan/timeutil v0.0.0-20150802142658-28917288c48d
 	github.com/minio/minio-go/v7 v7.0.16
 	github.com/otiai10/copy v1.7.0
+	github.com/pkg/sftp v1.13.5
 	github.com/sirupsen/logrus v1.8.1
-	github.com/studio-b12/gowebdav v0.0.0-20211109083228-3f8721cd4b6f
-	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
+	github.com/studio-b12/gowebdav v0.0.0-20220128162035-c7b1ff8a5e62
+	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
+	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
 )
 
 require (
-	github.com/Microsoft/go-winio v0.4.17 // indirect
-	github.com/containerd/containerd v1.5.5 // indirect
+	github.com/Microsoft/go-winio v0.5.2 // indirect
+	github.com/containerd/containerd v1.6.6 // indirect
 	github.com/docker/distribution v2.7.1+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
@@ -26,33 +28,39 @@ require (
 	github.com/fatih/color v1.10.0 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.0 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/uuid v1.3.0 // indirect
+	github.com/gorilla/mux v1.7.3 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.13.6 // indirect
+	github.com/klauspost/compress v1.15.6 // indirect
 	github.com/klauspost/cpuid/v2 v2.0.9 // indirect
+	github.com/kr/fs v0.1.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/mattn/go-colorable v0.1.8 // indirect
 	github.com/mattn/go-isatty v0.0.12 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/minio/sha256-simd v1.0.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/moby/term v0.0.0-20200312100748-672ec06f55cd // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/nxadm/tail v1.4.6 // indirect
 	github.com/onsi/ginkgo v1.14.2 // indirect
 	github.com/onsi/gomega v1.10.3 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.1 // indirect
+	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/rs/xid v1.3.0 // indirect
-	golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect
-	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
-	golang.org/x/text v0.3.6 // indirect
+	golang.org/x/net v0.0.0-20220607020251-c690dde0001d // indirect
+	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
+	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-	google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a // indirect
-	google.golang.org/grpc v1.33.2 // indirect
-	google.golang.org/protobuf v1.26.0 // indirect
+	google.golang.org/genproto v0.0.0-20220602131408-e326c6e8e9c8 // indirect
+	google.golang.org/grpc v1.47.0 // indirect
+	google.golang.org/protobuf v1.28.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/ini.v1 v1.65.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

test/compose/docker-compose.yml

@@ -21,12 +21,24 @@ services:
     volumes:
       - webdav_backup_data:/var/lib/dav
 
+  ssh:
+    image: linuxserver/openssh-server:version-8.6_p1-r3
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - USER_NAME=test
+    volumes:
+      - ./id_rsa.pub:/config/.ssh/authorized_keys
+      - ssh_backup_data:/tmp
+      - ssh_config:/config
+
   backup:
     image: offen/docker-volume-backup:${TEST_VERSION:-canary}
     hostname: hostnametoken
     depends_on:
       - minio
       - webdav
+      - ssh
     restart: always
     environment:
       AWS_ACCESS_KEY_ID: test
@@ -43,11 +55,18 @@ services:
       BACKUP_PRUNING_PREFIX: test
       GPG_PASSPHRASE: 1234secret
       WEBDAV_URL: http://webdav/
+      WEBDAV_URL_INSECURE: 'true'
       WEBDAV_PATH: /my/new/path/
       WEBDAV_USERNAME: test
       WEBDAV_PASSWORD: test
+      SSH_HOST_NAME: ssh
+      SSH_PORT: 2222
+      SSH_USER: test
+      SSH_REMOTE_PATH: /tmp
+      SSH_IDENTITY_PASSPHRASE: test1234
     volumes:
       - ./local:/archive
+      - ./id_rsa:/root/.ssh/id_rsa
       - app_data:/backup/app_data:ro
       - /var/run/docker.sock:/var/run/docker.sock
 
@@ -61,4 +80,6 @@ services:
 volumes:
   minio_backup_data:
   webdav_backup_data:
+  ssh_backup_data:
+  ssh_config:
   app_data:

test/compose/run.sh

@@ -2,9 +2,10 @@
 
 set -e
 
-cd $(dirname $0)
+cd "$(dirname "$0")"
 
 mkdir -p local
+ssh-keygen -t rsa -m pem -b 4096 -N "test1234" -f id_rsa -C "docker-volume-backup@local"
 
 docker-compose up -d
 sleep 5
@@ -15,7 +16,7 @@ docker-compose exec offen ln -s /var/opt/offen/offen.db /var/opt/offen/db.link
 docker-compose exec backup backup
 
 sleep 5
-if [ "$(docker-compose ps -q | wc -l)" != "4" ]; then
+if [ "$(docker-compose ps -q | wc -l)" != "5" ]; then
   echo "[TEST:FAIL] Expected all containers to be running post backup, instead seen:"
   docker-compose ps
   exit 1
@@ -25,10 +26,12 @@ echo "[TEST:PASS] All containers running post backup."
 
 docker run --rm -it \
   -v compose_minio_backup_data:/minio_data \
-  -v compose_webdav_backup_data:/webdav_data alpine \
+  -v compose_webdav_backup_data:/webdav_data \
+  -v compose_ssh_backup_data:/ssh_data alpine \
   ash -c 'apk add gnupg && \
           echo 1234secret | gpg -d --pinentry-mode loopback --passphrase-fd 0 --yes /minio_data/backup/test-hostnametoken.tar.gz.gpg > /tmp/test-hostnametoken.tar.gz && tar -xvf /tmp/test-hostnametoken.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db && \
-          echo 1234secret | gpg -d --pinentry-mode loopback --passphrase-fd 0 --yes /webdav_data/data/my/new/path/test-hostnametoken.tar.gz.gpg > /tmp/test-hostnametoken.tar.gz && tar -xvf /tmp/test-hostnametoken.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db'
+          echo 1234secret | gpg -d --pinentry-mode loopback --passphrase-fd 0 --yes /webdav_data/data/my/new/path/test-hostnametoken.tar.gz.gpg > /tmp/test-hostnametoken.tar.gz && tar -xvf /tmp/test-hostnametoken.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db && \
+          echo 1234secret | gpg -d --pinentry-mode loopback --passphrase-fd 0 --yes /ssh_data/test-hostnametoken.tar.gz.gpg > /tmp/test-hostnametoken.tar.gz && tar -xvf /tmp/test-hostnametoken.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db'
 
 echo "[TEST:PASS] Found relevant files in decrypted and untared remote backups."
 
@@ -52,9 +55,11 @@ docker-compose exec backup backup
 
 docker run --rm -it \
   -v compose_minio_backup_data:/minio_data \
-  -v compose_webdav_backup_data:/webdav_data alpine \
+  -v compose_webdav_backup_data:/webdav_data \
+  -v compose_ssh_backup_data:/ssh_data alpine \
   ash -c '[ $(find /minio_data/backup/ -type f | wc -l) = "1" ] && \
-          [ $(find /webdav_data/data/my/new/path/ -type f | wc -l) = "1" ]'
+          [ $(find /webdav_data/data/my/new/path/ -type f | wc -l) = "1" ] && \
+          [ $(find /ssh_data/ -type f | wc -l) = "1" ]'
 
 echo "[TEST:PASS] Remote backups have not been deleted."
 
@@ -66,3 +71,4 @@ fi
 echo "[TEST:PASS] Local backups have not been deleted."
 
 docker-compose down --volumes
+rm -f id_rsa id_rsa.pub

test/confd/02backup.env

@@ -0,0 +1,2 @@
+BACKUP_FILENAME="other.tar.gz"
+BACKUP_CRON_EXPRESSION="*/1 * * * *"

test/confd/docker-compose.yml

@@ -7,8 +7,9 @@ services:
     volumes:
       - ./local:/archive
       - app_data:/backup/app_data:ro
-      - ./backup.env:/etc/dockervolumebackup/conf.d/00backup.env
-      - ./never.env:/etc/dockervolumebackup/conf.d/10never.env
+      - ./01backup.env:/etc/dockervolumebackup/conf.d/01backup.env
+      - ./02backup.env:/etc/dockervolumebackup/conf.d/02backup.env
+      - ./03never.env:/etc/dockervolumebackup/conf.d/03never.env
       - /var/run/docker.sock:/var/run/docker.sock
 
   offen:

test/confd/run.sh

@@ -19,6 +19,12 @@ if [ ! -f ./local/conf.tar.gz ]; then
 fi
 echo "[TEST:PASS] Config from file was used."
 
+if [ ! -f ./local/other.tar.gz ]; then
+  echo "[TEST:FAIL] Run on same schedule did not succeed."
+  exit 1
+fi
+echo "[TEST:PASS] Run on same schedule succeeded."
+
 if [ -f ./local/never.tar.gz ]; then
   echo "[TEST:FAIL] Unexpected file was found."
   exit 1

test/ignore/.gitignore

@@ -0,0 +1 @@
+local

test/ignore/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '3.8'
+
+services:
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    deploy:
+      restart_policy:
+        condition: on-failure
+    environment:
+      BACKUP_FILENAME: test.tar.gz
+      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
+      BACKUP_EXCLUDE_REGEXP: '\.(me|you)$$'
+    volumes:
+      - ./local:/archive
+      - ./sources:/backup/data:ro

test/ignore/run.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+set -e
+
+cd $(dirname $0)
+mkdir -p local
+
+docker-compose up -d
+sleep 5
+docker-compose exec backup backup
+
+docker-compose down --volumes
+
+out=$(mktemp -d)
+sudo tar --same-owner -xvf ./local/test.tar.gz -C "$out"
+
+if [ ! -f "$out/backup/data/me.txt" ]; then
+  echo "[TEST:FAIL] Expected file was not found."
+  exit 1
+fi
+echo "[TEST:PASS] Expected file was found."
+
+if [ -f "$out/backup/data/skip.me" ]; then
+  echo "[TEST:FAIL] Ignored file was found."
+  exit 1
+fi
+echo "[TEST:PASS] Ignored file was not found."

test/swarm/docker-compose.yml

@@ -43,6 +43,8 @@ services:
     image: offen/offen:latest
     labels:
       - docker-volume-backup.stop-during-backup=true
+    healthcheck:
+      disable: true
     deploy:
       replicas: 2
       restart_policy: