Allow use of a custom ca cert when working against S3 storages (#170 )

Update MinIO Go SDK to v7.0.44 (#167 )
Adds support for the eu-south-2, eu-central-2, me-central-1, ap-southeast-3 AWS endpoints
2025-12-05 17:18:02 +01:00 · 2022-12-22 14:37:51 +01:00 · 2022-11-21 20:30:13 +01:00 · 2022-10-23 21:56:44 +02:00 · 2022-10-17 20:41:10 +02:00 · 2022-10-17 19:42:38 +02:00
39 changed files with 1486 additions and 598 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -35,7 +35,8 @@ jobs:
      - checkout
      - setup_remote_docker:
          version: 20.10.6
-      - docker/install-docker-credential-helper
+      - docker/install-docker-credential-helper:
          release-tag: v0.6.4
      - docker/configure-docker-credentials-store
      - run:
          name: Push to Docker Hub
@@ -71,4 +72,4 @@ workflows:
              only: /^v.*/
 orbs:
-  docker: circleci/docker@1.0.1
+  docker: circleci/docker@2.1.4
--- a/.dockerignore
+++ b/.dockerignore
@@ -1 +1,7 @@
 test
 .github
 .circleci
 docs
 .editorconfig
 LICENSE
 README.md
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,3 @@
 github: offen
 patreon: offen
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -1,20 +0,0 @@
 * **I'm submitting a ...**
  - [ ] bug report
  - [ ] feature request
  - [ ] support request
 * **What is the current behavior?**
 * **If the current behavior is a bug, please provide the configuration and steps to reproduce and if possible a minimal demo of the problem.**
 * **What is the expected behavior?**
 * **What is the motivation / use case for changing the behavior?**
 * **Please tell us about your environment:**
  - Image version:
  - Docker version: 
  - docker-compose version:
 * **Other information** (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, etc)
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,28 @@
 ---
 name: Bug report
 about: Create a report to help us improve
 title: ''
 labels: ''
 assignees: ''
 ---
 **Describe the bug**
 A clear and concise description of what the bug is.
 **To Reproduce**
 Steps to reproduce the behavior:
 1. ...
 2. ...
 3. ...
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 **Desktop (please complete the following information):**
 - Image Version: [e.g. v2.21.0]
 - Docker Version: [e.g. 20.10.17]
 - Docker Compose Version (if applicable): [e.g. 1.29.2]
 **Additional context**
 Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,20 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
 title: ''
 labels: ''
 assignees: ''
 ---
 **Is your feature request related to a problem? Please describe.**
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 **Describe the solution you'd like**
 A clear and concise description of what you want to happen.
 **Describe alternatives you've considered**
 A clear and concise description of any alternative solutions or features you've considered.
 **Additional context**
 Add any other context or screenshots about the feature request here.
--- a/.github/ISSUE_TEMPLATE/support_request.md
+++ b/.github/ISSUE_TEMPLATE/support_request.md
@@ -0,0 +1,20 @@
 ---
 name: Support request
 about: Ask for help
 title: ''
 labels: ''
 assignees: ''
 ---
 **What are you trying to do?**
 A clear and concise description of what you are trying to do, but cannot get working.
 **What is your current configuration?**
 Add the full configuration you are using. Please redact out any real-world credentials.
 **Log output**
 Provide the full log output of your setup.
 **Additional context**
 Add any other context or screenshots about the support request here.
--- a/7
+++ b/7
@@ -1,16 +1,15 @@
 # Copyright 2021 - Offen Authors <hioffen@posteo.de>
 # SPDX-License-Identifier: MPL-2.0
-FROM golang:1.18-alpine as builder
+FROM golang:1.19-alpine as builder
 WORKDIR /app
-COPY go.mod go.sum ./
+COPY . .
 RUN go mod download
 COPY cmd/backup ./cmd/backup/
 WORKDIR /app/cmd/backup
 RUN go build -o backup .
-FROM alpine:3.15
+FROM alpine:3.16
 WORKDIR /root
--- a/README.md
+++ b/README.md
@@ -20,7 +20,7 @@ It handles __recurring or one-off backups of Docker volumes__ to a __local direc
  - [Automatically pruning old backups](#automatically-pruning-old-backups)
  - [Send email notifications on failed backup runs](#send-email-notifications-on-failed-backup-runs)
  - [Customize notifications](#customize-notifications)
-  - [Run custom commands before / after backup](#run-custom-commands-before--after-backup)
+  - [Run custom commands during the backup lifecycle](#run-custom-commands-during-the-backup-lifecycle)
  - [Encrypting your backup using GPG](#encrypting-your-backup-using-gpg)
  - [Restoring a volume from a backup](#restoring-a-volume-from-a-backup)
  - [Set the timezone the container runs in](#set-the-timezone-the-container-runs-in)
@@ -28,13 +28,16 @@ It handles __recurring or one-off backups of Docker volumes__ to a __local direc
  - [Manually triggering a backup](#manually-triggering-a-backup)
  - [Update deprecated email configuration](#update-deprecated-email-configuration)
  - [Replace deprecated `BACKUP_FROM_SNAPSHOT` usage](#replace-deprecated-backup_from_snapshot-usage)
  - [Replace deprecated `exec-pre` and `exec-post` labels](#replace-deprecated-exec-pre-and-exec-post-labels)
  - [Using a custom Docker host](#using-a-custom-docker-host)
  - [Run multiple backup schedules in the same container](#run-multiple-backup-schedules-in-the-same-container)
  - [Define different retention schedules](#define-different-retention-schedules)
  - [Use special characters in notification URLs](#use-special-characters-in-notification-urls)
 - [Recipes](#recipes)
  - [Backing up to AWS S3](#backing-up-to-aws-s3)
  - [Backing up to Filebase](#backing-up-to-filebase)
  - [Backing up to MinIO](#backing-up-to-minio)
  - [Backing up to MinIO \(using Docker secrets\)](#backing-up-to-minio-using-docker-secrets)
  - [Backing up to WebDAV](#backing-up-to-webdav)
  - [Backing up to SSH](#backing-up-to-ssh)
  - [Backing up locally](#backing-up-locally)
@@ -194,6 +197,14 @@ You can populate below template according to your requirements and use it as you
 # AWS_ACCESS_KEY_ID="<xxx>"
 # AWS_SECRET_ACCESS_KEY="<xxx>"
 # It is possible to provide the keys in files, allowing to hide the sensitive data.
 # These values have a higher priority than the ones above, meaning if both are set
 # the values from the files will be used.
 # This option is most useful with Docker [secrets](https://docs.docker.com/engine/swarm/secrets/).
 # AWS_ACCESS_KEY_ID_FILE="/path/to/file"
 # AWS_SECRET_ACCESS_KEY_FILE="/path/to/file"
 # Instead of providing static credentials, you can also use IAM instance profiles
 # or similar to provide authentication. Some possible configuration options on AWS:
 # - EC2: http://169.254.169.254
@@ -221,6 +232,13 @@ You can populate below template according to your requirements and use it as you
 # AWS_ENDPOINT_INSECURE="true"
 # If you wish to use self signed certificates your S3 server, you can pass
 # the location of a PEM encoded CA certificate and it will be used for
 # validating your certificates.
 # Alternatively, pass a PEM encoded string containing the certificate.
 # AWS_ENDPOINT_CA_CERT="/path/to/cert.pem"
 # Setting this variable will change the S3 storage class header.
 # Defaults to "STANDARD", you can set this value according to your needs.
@@ -350,7 +368,7 @@ You can populate below template according to your requirements and use it as you
 # It is possible to define commands to be run in any container before and after
 # a backup is conducted. The commands themselves are defined in labels like
-# `docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump [options] > dump.sql'.
+# `docker-volume-backup.archive-pre=/bin/sh -c 'mysqldump [options] > dump.sql'.
 # Several options exist for controlling this feature:
 # By default, any output of such a command is suppressed. If this value
@@ -542,11 +560,16 @@ Overridable template names are: `title_success`, `body_success`, `title_failure`
 For a full list of available variables and functions, see [this page](https://github.com/offen/docker-volume-backup/blob/master/docs/NOTIFICATION-TEMPLATES.md).
-### Run custom commands before / after backup
+### Run custom commands during the backup lifecycle
 In certain scenarios it can be required to run specific commands before and after a backup is taken (e.g. dumping a database).
-When mounting the Docker socket into the `docker-volume-backup` container, you can define pre- and post-commands that will be run in the context of the target container.
+When mounting the Docker socket into the `docker-volume-backup` container, you can define pre- and post-commands that will be run in the context of the target container (it is also possible to run commands inside the `docker-volume-backup` container itself using this feature).
-Such commands are defined by specifying the command in a `docker-volume-backup.exec-[pre|post]` label.
+Such commands are defined by specifying the command in a `docker-volume-backup.[step]-[pre|post]` label where `step` can be any of the following phases of a backup lifecyle:
 - `archive` (the tar archive is created)
 - `process` (the tar archive is processed, e.g. encrypted - optional)
 - `copy` (the tar archive is copied to all configured storages)
 - `prune` (existing backups are pruned based on the defined ruleset - optional)
 Taking a database dump using `mysqldump` would look like this:
@@ -560,7 +583,7 @@ services:
    volumes:
      - backup_data:/tmp/backups
    labels:
-      - docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump --all-databases > /backups/dump.sql'
+      - docker-volume-backup.archive-pre=/bin/sh -c 'mysqldump --all-databases > /backups/dump.sql'
 volumes:
  backup_data:
@@ -580,7 +603,7 @@ services:
    volumes:
      - backup_data:/tmp/backups
    labels:
-      - docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump --all-databases > /tmp/volume/dump.sql'
+      - docker-volume-backup.archive-pre=/bin/sh -c 'mysqldump --all-databases > /tmp/volume/dump.sql'
      - docker-volume-backup.exec-label=database
  backup:
@@ -596,7 +619,7 @@ volumes:
 ```
-The backup procedure is guaranteed to wait for all `pre` commands to finish.
+The backup procedure is guaranteed to wait for all `pre` or `post` commands to finish before proceeding.
 However there are no guarantees about the order in which they are run, which could also happen concurrently.
 ### Encrypting your backup using GPG
@@ -722,7 +745,7 @@ NOTIFICATION_URLS=smtp://me:secret@posteo.de:587/?fromAddress=no-reply@example.c
 ### Replace deprecated `BACKUP_FROM_SNAPSHOT` usage
 Starting with version 2.15.0, the `BACKUP_FROM_SNAPSHOT` feature has been deprecated.
-If you need to prepare your sources before the backup is taken, use `exec-pre`, `exec-post` and an intermediate volume:
+If you need to prepare your sources before the backup is taken, use `archive-pre`, `archive-post` and an intermediate volume:
 ```yml
 version: '3'
@@ -734,8 +757,8 @@ services:
      - data:/var/my_app
      - backup:/tmp/backup
    labels:
-      - docker-volume-backup.exec-pre=cp -r /var/my_app /tmp/backup/my-app
+      - docker-volume-backup.archive-pre=cp -r /var/my_app /tmp/backup/my-app
-      - docker-volume-backup.exec-post=rm -rf /tmp/backup/my-app
+      - docker-volume-backup.archive-post=rm -rf /tmp/backup/my-app
  backup:
    image: offen/docker-volume-backup:latest
@@ -750,6 +773,23 @@ volumes:
  backup:
 ```
 ### Replace deprecated `exec-pre` and `exec-post` labels
 Version 2.19.0 introduced the option to run labeled commands at multiple points in time during the backup lifecycle.
 In order to be able to use more obvious terminology in the new labels, the existing `exec-pre` and `exec-post` labels have been deprecated.
 If you want to emulate the existing behavior, all you need to do is change `exec-pre` to `archive-pre` and `exec-post` to `archive-post`:
 ```diff
    labels:
 -     - docker-volume-backup.exec-pre=cp -r /var/my_app /tmp/backup/my-app
 +     - docker-volume-backup.archive-pre=cp -r /var/my_app /tmp/backup/my-app
 -     - docker-volume-backup.exec-post=rm -rf /tmp/backup/my-app
 +     - docker-volume-backup.archive-post=rm -rf /tmp/backup/my-app
 ```
 The `EXEC_LABEL` setting and the `docker-volume-backup.exec-label` label stay as is.
 Check the additional documentation on running commands during the backup lifecycle to find out about further possibilities.
 ### Using a custom Docker host
 If you are interfacing with Docker via TCP, set `DOCKER_HOST` to the correct URL.
@@ -786,6 +826,25 @@ The exact order of schedules that use the same cron expression is not specified.
 In case you need your schedules to overlap, you need to create a dedicated container for each schedule instead.
 When changing the configuration, you currently need to manually restart the container for the changes to take effect.
 Set `BACKUP_SOURCES` for each config file to control which subset of volume mounts gets backed up:
 ```yml
 # With a volume configuration like this:
 volumes:
  - /var/run/docker.sock:/var/run/docker.sock:ro
  - ./configuration:/etc/dockervolumebackup/conf.d
  - app1_data:/backup/app1_data:ro
  - app2_data:/backup/app2_data:ro
 ```
 ```ini
 # In the 1st config file:
 BACKUP_SOURCES=/backup/app1_data
 # In the 2nd config file:
 BACKUP_SOURCES=/backup/app2_data
 ```
 ### Define different retention schedules
 If you want to manage backup retention on different schedules, the most straight forward approach is to define a dedicated configuration for retention rule using a different prefix in the `BACKUP_FILENAME` parameter and then run them on different cron schedules.
@@ -819,6 +878,22 @@ BACKUP_CRON_EXPRESSION="0 4 1 * *"
 Note that while it's possible to define colliding cron schedules for each of these configurations, you might need to adjust the value for `LOCK_TIMEOUT` in case your backups are large and might take longer than an hour.
 ### Use special characters in notification URLs
 The value given to `NOTIFICATION_URLS` is a comma separated list of URLs.
 If such a URL contains special characters (e.g. commas) it needs to be URL encoded.
 To get an encoded version of your URL, you can use the CLI tool provided by `shoutrrr` (which is the library used for sending notifications):
 ```
 docker run --rm -ti containrrr/shoutrrr generate [service]
 ```
 where service is any of the [supported services][shoutrrr-docs], e.g. for SMTP:
 ```
 docker run --rm -ti containrrr/shoutrrr generate smtp
 ```
 ## Recipes
 This section lists configuration for some real-world use cases that you can mix and match according to your needs.
@@ -888,6 +963,38 @@ volumes:
  data:
 ```
 ### Backing up to MinIO (using Docker secrets)
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      AWS_ENDPOINT: minio.example.com
      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID_FILE: /run/secrets/minio_access_key
      AWS_SECRET_ACCESS_KEY_FILE: /run/secrets/minio_secret_key
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    secrets:
      - minio_access_key
      - minio_secret_key
 volumes:
  data:
 secrets:
  minio_access_key:
    # ... define how secret is accessed
  minio_secret_key:
    # ... define how secret is accessed
 ```
 ### Backing up to WebDAV
 ```yml
@@ -927,7 +1034,7 @@ services:
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - /path/to/private_key:/root/.ssh/id
+      - /path/to/private_key:/root/.ssh/id_rsa
 volumes:
  data:
@@ -1054,9 +1161,9 @@ services:
  database:
    image: mariadb:latest
    labels:
-      - docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump -psecret --all-databases > /tmp/dumps/dump.sql'
+      - docker-volume-backup.archive-pre=/bin/sh -c 'mysqldump -psecret --all-databases > /tmp/dumps/dump.sql'
    volumes:
-      - app_data:/tmp/dumps
+      - data:/tmp/dumps
  backup:
    image: offen/docker-volume-backup:v2
    environment:
--- a/cmd/backup/archive.go
+++ b/cmd/backup/archive.go
@@ -63,7 +63,7 @@ func compress(paths []string, outFilePath, subPath string) error {
 	for _, p := range paths {
 		if err := writeTarGz(p, tarWriter, prefix); err != nil {
-			return fmt.Errorf("compress error writing %s to archive: %w", p, err)
+			return fmt.Errorf("compress: error writing %s to archive: %w", p, err)
 		}
 	}
--- a/cmd/backup/config.go
+++ b/cmd/backup/config.go
@@ -4,7 +4,11 @@
 package main
 import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"regexp"
 	"time"
 )
@@ -12,6 +16,18 @@ import (
 // Config holds all configuration values that are expected to be set
 // by users.
 type Config struct {
 	AwsS3BucketName            string        `split_words:"true"`
 	AwsS3Path                  string        `split_words:"true"`
 	AwsEndpoint                string        `split_words:"true" default:"s3.amazonaws.com"`
 	AwsEndpointProto           string        `split_words:"true" default:"https"`
 	AwsEndpointInsecure        bool          `split_words:"true"`
 	AwsEndpointCACert          CertDecoder   `envconfig:"AWS_ENDPOINT_CA_CERT"`
 	AwsStorageClass            string        `split_words:"true"`
 	AwsAccessKeyID             string        `envconfig:"AWS_ACCESS_KEY_ID"`
 	AwsAccessKeyIDFile         string        `envconfig:"AWS_ACCESS_KEY_ID_FILE"`
 	AwsSecretAccessKey         string        `split_words:"true"`
 	AwsSecretAccessKeyFile     string        `split_words:"true"`
 	AwsIamRoleEndpoint         string        `split_words:"true"`
 	BackupSources              string        `split_words:"true" default:"/backup"`
 	BackupFilename             string        `split_words:"true" default:"backup-%Y-%m-%dT%H-%M-%S.tar.gz"`
 	BackupFilenameExpand       bool          `split_words:"true"`
@@ -23,15 +39,6 @@ type Config struct {
 	BackupStopContainerLabel   string        `split_words:"true" default:"true"`
 	BackupFromSnapshot         bool          `split_words:"true"`
 	BackupExcludeRegexp        RegexpDecoder `split_words:"true"`
 	AwsS3BucketName            string        `split_words:"true"`
 	AwsS3Path                  string        `split_words:"true"`
 	AwsEndpoint                string        `split_words:"true" default:"s3.amazonaws.com"`
 	AwsEndpointProto           string        `split_words:"true" default:"https"`
 	AwsEndpointInsecure        bool          `split_words:"true"`
 	AwsStorageClass            string        `split_words:"true"`
 	AwsAccessKeyID             string        `envconfig:"AWS_ACCESS_KEY_ID"`
 	AwsSecretAccessKey         string        `split_words:"true"`
 	AwsIamRoleEndpoint         string        `split_words:"true"`
 	GpgPassphrase              string        `split_words:"true"`
 	NotificationURLs           []string      `envconfig:"NOTIFICATION_URLS"`
 	NotificationLevel          string        `split_words:"true" default:"error"`
@@ -58,6 +65,38 @@ type Config struct {
 	LockTimeout                time.Duration `split_words:"true" default:"60m"`
 }
 func (c *Config) resolveSecret(envVar string, secretPath string) (string, error) {
 	if secretPath == "" {
 		return envVar, nil
 	}
 	data, err := os.ReadFile(secretPath)
 	if err != nil {
 		return "", fmt.Errorf("resolveSecret: error reading secret path: %w", err)
 	}
 	return string(data), nil
 }
 type CertDecoder struct {
 	Cert *x509.Certificate
 }
 func (c *CertDecoder) Decode(v string) error {
 	if v == "" {
 		return nil
 	}
 	content, err := ioutil.ReadFile(v)
 	if err != nil {
 		content = []byte(v)
 	}
 	block, _ := pem.Decode(content)
 	cert, err := x509.ParseCertificate(block.Bytes)
 	if err != nil {
 		return fmt.Errorf("config: error parsing certificate: %w", err)
 	}
 	*c = CertDecoder{Cert: cert}
 	return nil
 }
 type RegexpDecoder struct {
 	Re *regexp.Regexp
 }
--- a/cmd/backup/exec.go
+++ b/cmd/backup/exec.go
@@ -93,16 +93,68 @@ func (s *script) runLabeledCommands(label string) error {
 		return fmt.Errorf("runLabeledCommands: error querying for containers: %w", err)
 	}
 	var hasDeprecatedContainers bool
 	if label == "docker-volume-backup.archive-pre" {
 		f[0] = filters.KeyValuePair{
 			Key:   "label",
 			Value: "docker-volume-backup.exec-pre",
 		}
 		deprecatedContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
 			Quiet:   true,
 			Filters: filters.NewArgs(f...),
 		})
 		if err != nil {
 			return fmt.Errorf("runLabeledCommands: error querying for containers: %w", err)
 		}
 		if len(deprecatedContainers) != 0 {
 			hasDeprecatedContainers = true
 			containersWithCommand = append(containersWithCommand, deprecatedContainers...)
 		}
 	}
 	if label == "docker-volume-backup.archive-post" {
 		f[0] = filters.KeyValuePair{
 			Key:   "label",
 			Value: "docker-volume-backup.exec-post",
 		}
 		deprecatedContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
 			Quiet:   true,
 			Filters: filters.NewArgs(f...),
 		})
 		if err != nil {
 			return fmt.Errorf("runLabeledCommands: error querying for containers: %w", err)
 		}
 		if len(deprecatedContainers) != 0 {
 			hasDeprecatedContainers = true
 			containersWithCommand = append(containersWithCommand, deprecatedContainers...)
 		}
 	}
 	if len(containersWithCommand) == 0 {
 		return nil
 	}
 	if hasDeprecatedContainers {
 		s.logger.Warn(
 			"Using `docker-volume-backup.exec-pre` and `docker-volume-backup.exec-post` labels has been deprecated and will be removed in the next major version.",
 		)
 		s.logger.Warn(
 			"Please use other `-pre` and `-post` labels instead. Refer to the README for an upgrade guide.",
 		)
 	}
 	g := new(errgroup.Group)
 	for _, container := range containersWithCommand {
 		c := container
 		g.Go(func() error {
-			cmd, _ := c.Labels[label]
+			cmd, ok := c.Labels[label]
 			if !ok && label == "docker-volume-backup.archive-pre" {
 				cmd, _ = c.Labels["docker-volume-backup.exec-pre"]
 			} else if !ok && label == "docker-volume-backup.archive-post" {
 				cmd, _ = c.Labels["docker-volume-backup.exec-post"]
 			}
 			s.logger.Infof("Running %s command %s for container %s", label, cmd, strings.TrimPrefix(c.Names[0], "/"))
 			stdout, stderr, err := s.exec(c.ID, cmd)
 			if s.c.ExecForwardOutput {
@@ -121,3 +173,27 @@ func (s *script) runLabeledCommands(label string) error {
 	}
 	return nil
 }
 type lifecyclePhase string
 const (
 	lifecyclePhaseArchive lifecyclePhase = "archive"
 	lifecyclePhaseProcess lifecyclePhase = "process"
 	lifecyclePhaseCopy    lifecyclePhase = "copy"
 	lifecyclePhasePrune   lifecyclePhase = "prune"
 )
 func (s *script) withLabeledCommands(step lifecyclePhase, cb func() error) func() error {
 	if s.cli == nil {
 		return cb
 	}
 	return func() error {
 		if err := s.runLabeledCommands(fmt.Sprintf("docker-volume-backup.%s-pre", step)); err != nil {
 			return fmt.Errorf("withLabeledCommands: %s: error running pre commands: %w", step, err)
 		}
 		defer func() {
 			s.must(s.runLabeledCommands(fmt.Sprintf("docker-volume-backup.%s-post", step)))
 		}()
 		return cb()
 	}
 }
--- a/cmd/backup/hooks.go
+++ b/cmd/backup/hooks.go
@@ -6,6 +6,8 @@ package main
 import (
 	"fmt"
 	"sort"
 	"github.com/offen/docker-volume-backup/internal/utilities"
 )
 // hook contains a queued action that can be trigger them when the script
@@ -50,7 +52,7 @@ func (s *script) runHooks(err error) error {
 		}
 	}
 	if len(actionErrors) != 0 {
-		return join(actionErrors...)
+		return utilities.Join(actionErrors...)
 	}
 	return nil
 }
--- a/cmd/backup/lock.go
+++ b/cmd/backup/lock.go
@@ -31,7 +31,7 @@ func (s *script) lock(lockfile string) (func() error, error) {
 	for {
 		acquired, err := fileLock.TryLock()
 		if err != nil {
-			return noop, fmt.Errorf("lock: error trying lock: %w", err)
+			return noop, fmt.Errorf("lock: error trying to lock: %w", err)
 		}
 		if acquired {
 			if s.encounteredLock {
--- a/cmd/backup/main.go
+++ b/cmd/backup/main.go
@@ -38,14 +38,7 @@ func main() {
 		s.logger.Info("Finished running backup tasks.")
 	}()
-	s.must(func() error {
+	s.must(s.withLabeledCommands(lifecyclePhaseArchive, func() error {
 		runPostCommands, err := s.runCommands()
 		defer func() {
 			s.must(runPostCommands())
 		}()
 		if err != nil {
 			return err
 		}
 		restartContainers, err := s.stopContainers()
 		// The mechanism for restarting containers is not using hooks as it
 		// should happen as soon as possible (i.e. before uploading backups or
@@ -56,10 +49,10 @@ func main() {
 		if err != nil {
 			return err
 		}
-		return s.takeBackup()
+		return s.createArchive()
-	}())
+	})())
-	s.must(s.encryptBackup())
+	s.must(s.withLabeledCommands(lifecyclePhaseProcess, s.encryptArchive)())
-	s.must(s.copyBackup())
+	s.must(s.withLabeledCommands(lifecyclePhaseCopy, s.copyArchive)())
-	s.must(s.pruneBackups())
+	s.must(s.withLabeledCommands(lifecyclePhasePrune, s.pruneBackups)())
 }
--- a/cmd/backup/notifications.go
+++ b/cmd/backup/notifications.go
@@ -12,6 +12,7 @@ import (
 	"time"
 	sTypes "github.com/containrrr/shoutrrr/pkg/types"
 	"github.com/offen/docker-volume-backup/internal/utilities"
 )
 //go:embed notifications.tmpl
@@ -35,16 +36,16 @@ func (s *script) notify(titleTemplate string, bodyTemplate string, err error) er
 	titleBuf := &bytes.Buffer{}
 	if err := s.template.ExecuteTemplate(titleBuf, titleTemplate, params); err != nil {
-		return fmt.Errorf("notifyFailure: error executing %s template: %w", titleTemplate, err)
+		return fmt.Errorf("notify: error executing %s template: %w", titleTemplate, err)
 	}
 	bodyBuf := &bytes.Buffer{}
 	if err := s.template.ExecuteTemplate(bodyBuf, bodyTemplate, params); err != nil {
-		return fmt.Errorf("notifyFailure: error executing %s template: %w", bodyTemplate, err)
+		return fmt.Errorf("notify: error executing %s template: %w", bodyTemplate, err)
 	}
 	if err := s.sendNotification(titleBuf.String(), bodyBuf.String()); err != nil {
-		return fmt.Errorf("notifyFailure: error notifying: %w", err)
+		return fmt.Errorf("notify: error notifying: %w", err)
 	}
 	return nil
 }
@@ -68,7 +69,7 @@ func (s *script) sendNotification(title, body string) error {
 		}
 	}
 	if len(errs) != 0 {
-		return fmt.Errorf("sendNotification: error sending message: %w", join(errs...))
+		return fmt.Errorf("sendNotification: error sending message: %w", utilities.Join(errs...))
 	}
 	return nil
 }
--- a/cmd/backup/script.go
+++ b/cmd/backup/script.go
@@ -5,21 +5,21 @@ package main
 import (
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"io/fs"
 	"io/ioutil"
 	"net/http"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 	"text/template"
 	"time"
-	"github.com/pkg/sftp"
+	"github.com/offen/docker-volume-backup/internal/storage"
-	"golang.org/x/crypto/ssh"
+	"github.com/offen/docker-volume-backup/internal/storage/local"
 	"github.com/offen/docker-volume-backup/internal/storage/s3"
 	"github.com/offen/docker-volume-backup/internal/storage/ssh"
 	"github.com/offen/docker-volume-backup/internal/storage/webdav"
 	"github.com/offen/docker-volume-backup/internal/utilities"
 	"github.com/containrrr/shoutrrr"
 	"github.com/containrrr/shoutrrr/pkg/router"
@@ -29,27 +29,22 @@ import (
 	"github.com/docker/docker/client"
 	"github.com/kelseyhightower/envconfig"
 	"github.com/leekchan/timeutil"
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
 	"github.com/otiai10/copy"
 	"github.com/sirupsen/logrus"
 	"github.com/studio-b12/gowebdav"
 	"golang.org/x/crypto/openpgp"
 	"golang.org/x/sync/errgroup"
 )
 // script holds all the stateful information required to orchestrate a
 // single backup run.
 type script struct {
-	cli          *client.Client
+	cli       *client.Client
-	minioClient  *minio.Client
+	storages  []storage.Backend
-	webdavClient *gowebdav.Client
+	logger    *logrus.Logger
-	sshClient    *ssh.Client
+	sender    *router.ServiceRouter
-	sftpClient   *sftp.Client
+	template  *template.Template
-	logger       *logrus.Logger
+	hooks     []hook
-	sender       *router.ServiceRouter
+	hookLevel hookLevel
 	template     *template.Template
 	hooks        []hook
 	hookLevel    hookLevel
 	file  string
 	stats *Stats
@@ -76,7 +71,12 @@ func newScript() (*script, error) {
 		stats: &Stats{
 			StartTime: time.Now(),
 			LogOutput: logBuffer,
-			Storages:  StoragesStats{},
+			Storages: map[string]StorageStats{
 				"S3":     {},
 				"WebDAV": {},
 				"SSH":    {},
 				"Local":  {},
 			},
 		},
 	}
@@ -108,112 +108,85 @@ func newScript() (*script, error) {
 		s.cli = cli
 	}
 	logFunc := func(logType storage.LogLevel, context string, msg string, params ...interface{}) {
 		switch logType {
 		case storage.LogLevelWarning:
 			s.logger.Warnf("["+context+"] "+msg, params...)
 		case storage.LogLevelError:
 			s.logger.Errorf("["+context+"] "+msg, params...)
 		case storage.LogLevelInfo:
 		default:
 			s.logger.Infof("["+context+"] "+msg, params...)
 		}
 	}
 	if s.c.AwsS3BucketName != "" {
-		var creds *credentials.Credentials
+		accessKeyID, err := s.c.resolveSecret(s.c.AwsAccessKeyID, s.c.AwsAccessKeyIDFile)
 		if s.c.AwsAccessKeyID != "" && s.c.AwsSecretAccessKey != "" {
 			creds = credentials.NewStaticV4(
 				s.c.AwsAccessKeyID,
 				s.c.AwsSecretAccessKey,
 				"",
 			)
 		} else if s.c.AwsIamRoleEndpoint != "" {
 			creds = credentials.NewIAM(s.c.AwsIamRoleEndpoint)
 		} else {
 			return nil, errors.New("newScript: AWS_S3_BUCKET_NAME is defined, but no credentials were provided")
 		}
 		options := minio.Options{
 			Creds:  creds,
 			Secure: s.c.AwsEndpointProto == "https",
 		}
 		if s.c.AwsEndpointInsecure {
 			if !options.Secure {
 				return nil, errors.New("newScript: AWS_ENDPOINT_INSECURE = true is only meaningful for https")
 			}
 			transport, err := minio.DefaultTransport(true)
 			if err != nil {
 				return nil, fmt.Errorf("newScript: failed to create default minio transport")
 			}
 			transport.TLSClientConfig.InsecureSkipVerify = true
 			options.Transport = transport
 		}
 		mc, err := minio.New(s.c.AwsEndpoint, &options)
 		if err != nil {
-			return nil, fmt.Errorf("newScript: error setting up minio client: %w", err)
+			return nil, fmt.Errorf("newScript: error resolving AwsAccessKeyID: %w", err)
 		}
 		secretAccessKey, err := s.c.resolveSecret(s.c.AwsSecretAccessKey, s.c.AwsSecretAccessKeyFile)
 		if err != nil {
 			return nil, fmt.Errorf("newScript: error resolving AwsSecretAccessKey: %w", err)
 		}
 		s3Config := s3.Config{
 			Endpoint:         s.c.AwsEndpoint,
 			AccessKeyID:      accessKeyID,
 			SecretAccessKey:  secretAccessKey,
 			IamRoleEndpoint:  s.c.AwsIamRoleEndpoint,
 			EndpointProto:    s.c.AwsEndpointProto,
 			EndpointInsecure: s.c.AwsEndpointInsecure,
 			RemotePath:       s.c.AwsS3Path,
 			BucketName:       s.c.AwsS3BucketName,
 			StorageClass:     s.c.AwsStorageClass,
 			CACert:           s.c.AwsEndpointCACert.Cert,
 		}
 		if s3Backend, err := s3.NewStorageBackend(s3Config, logFunc); err != nil {
 			return nil, err
 		} else {
 			s.storages = append(s.storages, s3Backend)
 		}
 		s.minioClient = mc
 	}
 	if s.c.WebdavUrl != "" {
-		if s.c.WebdavUsername == "" || s.c.WebdavPassword == "" {
+		webDavConfig := webdav.Config{
-			return nil, errors.New("newScript: WEBDAV_URL is defined, but no credentials were provided")
+			URL:         s.c.WebdavUrl,
 			URLInsecure: s.c.WebdavUrlInsecure,
 			Username:    s.c.WebdavUsername,
 			Password:    s.c.WebdavPassword,
 			RemotePath:  s.c.WebdavPath,
 		}
 		if webdavBackend, err := webdav.NewStorageBackend(webDavConfig, logFunc); err != nil {
 			return nil, err
 		} else {
-			webdavClient := gowebdav.NewClient(s.c.WebdavUrl, s.c.WebdavUsername, s.c.WebdavPassword)
+			s.storages = append(s.storages, webdavBackend)
 			s.webdavClient = webdavClient
 			if s.c.WebdavUrlInsecure {
 				defaultTransport, ok := http.DefaultTransport.(*http.Transport)
 				if !ok {
 					return nil, errors.New("newScript: unexpected error when asserting type for http.DefaultTransport")
 				}
 				webdavTransport := defaultTransport.Clone()
 				webdavTransport.TLSClientConfig.InsecureSkipVerify = s.c.WebdavUrlInsecure
 				s.webdavClient.SetTransport(webdavTransport)
 			}
 		}
 	}
 	if s.c.SSHHostName != "" {
-		var authMethods []ssh.AuthMethod
+		sshConfig := ssh.Config{
-
+			HostName:           s.c.SSHHostName,
-		if s.c.SSHPassword != "" {
+			Port:               s.c.SSHPort,
-			authMethods = append(authMethods, ssh.Password(s.c.SSHPassword))
+			User:               s.c.SSHUser,
 			Password:           s.c.SSHPassword,
 			IdentityFile:       s.c.SSHIdentityFile,
 			IdentityPassphrase: s.c.SSHIdentityPassphrase,
 			RemotePath:         s.c.SSHRemotePath,
 		}
-
+		if sshBackend, err := ssh.NewStorageBackend(sshConfig, logFunc); err != nil {
 		if _, err := os.Stat(s.c.SSHIdentityFile); err == nil {
 			key, err := ioutil.ReadFile(s.c.SSHIdentityFile)
 			if err != nil {
 				return nil, errors.New("newScript: error reading the private key")
 			}
 			var signer ssh.Signer
 			if s.c.SSHIdentityPassphrase != "" {
 				signer, err = ssh.ParsePrivateKeyWithPassphrase(key, []byte(s.c.SSHIdentityPassphrase))
 				if err != nil {
 					return nil, errors.New("newScript: error parsing the encrypted private key")
 				}
 				authMethods = append(authMethods, ssh.PublicKeys(signer))
 			} else {
 				signer, err = ssh.ParsePrivateKey(key)
 				if err != nil {
 					return nil, errors.New("newScript: error parsing the private key")
 				}
 				authMethods = append(authMethods, ssh.PublicKeys(signer))
 			}
 		}
 		sshClientConfig := &ssh.ClientConfig{
 			User:            s.c.SSHUser,
 			Auth:            authMethods,
 			HostKeyCallback: ssh.InsecureIgnoreHostKey(),
 		}
 		sshClient, err := ssh.Dial("tcp", fmt.Sprintf("%s:%s", s.c.SSHHostName, s.c.SSHPort), sshClientConfig)
 		s.sshClient = sshClient
 		if err != nil {
 			return nil, fmt.Errorf("newScript: error creating ssh client: %w", err)
 		}
 		_, _, err = s.sshClient.SendRequest("keepalive", false, nil)
 		if err != nil {
 			return nil, err
 		} else {
 			s.storages = append(s.storages, sshBackend)
 		}
 	}
-		sftpClient, err := sftp.NewClient(sshClient)
+	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
-		s.sftpClient = sftpClient
+		localConfig := local.Config{
-		if err != nil {
+			ArchivePath:   s.c.BackupArchive,
-			return nil, fmt.Errorf("newScript: error creating sftp client: %w", err)
+			LatestSymlink: s.c.BackupLatestSymlink,
 		}
 		localBackend := local.NewStorageBackend(localConfig, logFunc)
 		s.storages = append(s.storages, localBackend)
 	}
 	if s.c.EmailNotificationRecipient != "" {
@@ -282,22 +255,6 @@ func newScript() (*script, error) {
 	return s, nil
 }
 func (s *script) runCommands() (func() error, error) {
 	if s.cli == nil {
 		return noop, nil
 	}
 	if err := s.runLabeledCommands("docker-volume-backup.exec-pre"); err != nil {
 		return noop, fmt.Errorf("runCommands: error running pre commands: %w", err)
 	}
 	return func() error {
 		if err := s.runLabeledCommands("docker-volume-backup.exec-post"); err != nil {
 			return fmt.Errorf("runCommands: error running post commands: %w", err)
 		}
 		return nil
 	}, nil
 }
 // stopContainers stops all Docker containers that are marked as to being
 // stopped during the backup and returns a function that can be called to
 // restart everything that has been stopped.
@@ -310,7 +267,7 @@ func (s *script) stopContainers() (func() error, error) {
 		Quiet: true,
 	})
 	if err != nil {
-		return noop, fmt.Errorf("stopContainersAndRun: error querying for containers: %w", err)
+		return noop, fmt.Errorf("stopContainers: error querying for containers: %w", err)
 	}
 	containerLabel := fmt.Sprintf(
@@ -326,7 +283,7 @@ func (s *script) stopContainers() (func() error, error) {
 	})
 	if err != nil {
-		return noop, fmt.Errorf("stopContainersAndRun: error querying for containers to stop: %w", err)
+		return noop, fmt.Errorf("stopContainers: error querying for containers to stop: %w", err)
 	}
 	if len(containersToStop) == 0 {
@@ -353,9 +310,9 @@ func (s *script) stopContainers() (func() error, error) {
 	var stopError error
 	if len(stopErrors) != 0 {
 		stopError = fmt.Errorf(
-			"stopContainersAndRun: %d error(s) stopping containers: %w",
+			"stopContainers: %d error(s) stopping containers: %w",
 			len(stopErrors),
-			join(stopErrors...),
+			utilities.Join(stopErrors...),
 		)
 	}
@@ -390,7 +347,7 @@ func (s *script) stopContainers() (func() error, error) {
 					}
 				}
 				if serviceMatch.ID == "" {
-					return fmt.Errorf("stopContainersAndRun: couldn't find service with name %s", serviceName)
+					return fmt.Errorf("stopContainers: couldn't find service with name %s", serviceName)
 				}
 				serviceMatch.Spec.TaskTemplate.ForceUpdate = 1
 				if _, err := s.cli.ServiceUpdate(
@@ -404,9 +361,9 @@ func (s *script) stopContainers() (func() error, error) {
 		if len(restartErrors) != 0 {
 			return fmt.Errorf(
-				"stopContainersAndRun: %d error(s) restarting containers and services: %w",
+				"stopContainers: %d error(s) restarting containers and services: %w",
 				len(restartErrors),
-				join(restartErrors...),
+				utilities.Join(restartErrors...),
 			)
 		}
 		s.logger.Infof(
@@ -417,9 +374,9 @@ func (s *script) stopContainers() (func() error, error) {
 	}, stopError
 }
-// takeBackup creates a tar archive of the configured backup location and
+// createArchive creates a tar archive of the configured backup location and
 // saves it to disk.
-func (s *script) takeBackup() error {
+func (s *script) createArchive() error {
 	backupSources := s.c.BackupSources
 	if s.c.BackupFromSnapshot {
@@ -427,13 +384,13 @@ func (s *script) takeBackup() error {
 			"Using BACKUP_FROM_SNAPSHOT has been deprecated and will be removed in the next major version.",
 		)
 		s.logger.Warn(
-			"Please use `exec-pre` and `exec-post` commands to prepare your backup sources. Refer to the README for an upgrade guide.",
+			"Please use `archive-pre` and `archive-post` commands to prepare your backup sources. Refer to the README for an upgrade guide.",
 		)
 		backupSources = filepath.Join("/tmp", s.c.BackupSources)
 		// copy before compressing guard against a situation where backup folder's content are still growing.
 		s.registerHook(hookLevelPlumbing, func(error) error {
 			if err := remove(backupSources); err != nil {
-				return fmt.Errorf("takeBackup: error removing snapshot: %w", err)
+				return fmt.Errorf("createArchive: error removing snapshot: %w", err)
 			}
 			s.logger.Infof("Removed snapshot `%s`.", backupSources)
 			return nil
@@ -442,7 +399,7 @@ func (s *script) takeBackup() error {
 			PreserveTimes: true,
 			PreserveOwner: true,
 		}); err != nil {
-			return fmt.Errorf("takeBackup: error creating snapshot: %w", err)
+			return fmt.Errorf("createArchive: error creating snapshot: %w", err)
 		}
 		s.logger.Infof("Created snapshot of `%s` at `%s`.", s.c.BackupSources, backupSources)
 	}
@@ -450,7 +407,7 @@ func (s *script) takeBackup() error {
 	tarFile := s.file
 	s.registerHook(hookLevelPlumbing, func(error) error {
 		if err := remove(tarFile); err != nil {
-			return fmt.Errorf("takeBackup: error removing tar file: %w", err)
+			return fmt.Errorf("createArchive: error removing tar file: %w", err)
 		}
 		s.logger.Infof("Removed tar file `%s`.", tarFile)
 		return nil
@@ -458,7 +415,7 @@ func (s *script) takeBackup() error {
 	backupPath, err := filepath.Abs(stripTrailingSlashes(backupSources))
 	if err != nil {
-		return fmt.Errorf("takeBackup: error getting absolute path: %w", err)
+		return fmt.Errorf("createArchive: error getting absolute path: %w", err)
 	}
 	var filesEligibleForBackup []string
@@ -473,21 +430,21 @@ func (s *script) takeBackup() error {
 		filesEligibleForBackup = append(filesEligibleForBackup, path)
 		return nil
 	}); err != nil {
-		return fmt.Errorf("compress: error walking filesystem tree: %w", err)
+		return fmt.Errorf("createArchive: error walking filesystem tree: %w", err)
 	}
 	if err := createArchive(filesEligibleForBackup, backupSources, tarFile); err != nil {
-		return fmt.Errorf("takeBackup: error compressing backup folder: %w", err)
+		return fmt.Errorf("createArchive: error compressing backup folder: %w", err)
 	}
 	s.logger.Infof("Created backup of `%s` at `%s`.", backupSources, tarFile)
 	return nil
 }
-// encryptBackup encrypts the backup file using PGP and the configured passphrase.
+// encryptArchive encrypts the backup file using PGP and the configured passphrase.
 // In case no passphrase is given it returns early, leaving the backup file
 // untouched.
-func (s *script) encryptBackup() error {
+func (s *script) encryptArchive() error {
 	if s.c.GpgPassphrase == "" {
 		return nil
 	}
@@ -495,35 +452,35 @@ func (s *script) encryptBackup() error {
 	gpgFile := fmt.Sprintf("%s.gpg", s.file)
 	s.registerHook(hookLevelPlumbing, func(error) error {
 		if err := remove(gpgFile); err != nil {
-			return fmt.Errorf("encryptBackup: error removing gpg file: %w", err)
+			return fmt.Errorf("encryptArchive: error removing gpg file: %w", err)
 		}
 		s.logger.Infof("Removed GPG file `%s`.", gpgFile)
 		return nil
 	})
 	outFile, err := os.Create(gpgFile)
 	defer outFile.Close()
 	if err != nil {
-		return fmt.Errorf("encryptBackup: error opening out file: %w", err)
+		return fmt.Errorf("encryptArchive: error opening out file: %w", err)
 	}
 	defer outFile.Close()
 	_, name := path.Split(s.file)
 	dst, err := openpgp.SymmetricallyEncrypt(outFile, []byte(s.c.GpgPassphrase), &openpgp.FileHints{
 		IsBinary: true,
 		FileName: name,
 	}, nil)
 	defer dst.Close()
 	if err != nil {
-		return fmt.Errorf("encryptBackup: error encrypting backup file: %w", err)
+		return fmt.Errorf("encryptArchive: error encrypting backup file: %w", err)
 	}
 	defer dst.Close()
 	src, err := os.Open(s.file)
 	if err != nil {
-		return fmt.Errorf("encryptBackup: error opening backup file `%s`: %w", s.file, err)
+		return fmt.Errorf("encryptArchive: error opening backup file `%s`: %w", s.file, err)
 	}
 	if _, err := io.Copy(dst, src); err != nil {
-		return fmt.Errorf("encryptBackup: error writing ciphertext to file: %w", err)
+		return fmt.Errorf("encryptArchive: error writing ciphertext to file: %w", err)
 	}
 	s.file = gpgFile
@@ -531,12 +488,12 @@ func (s *script) encryptBackup() error {
 	return nil
 }
-// copyBackup makes sure the backup file is copied to both local and remote locations
+// copyArchive makes sure the backup file is copied to both local and remote locations
 // as per the given configuration.
-func (s *script) copyBackup() error {
+func (s *script) copyArchive() error {
 	_, name := path.Split(s.file)
 	if stat, err := os.Stat(s.file); err != nil {
-		return fmt.Errorf("copyBackup: unable to stat backup file: %w", err)
+		return fmt.Errorf("copyArchive: unable to stat backup file: %w", err)
 	} else {
 		size := stat.Size()
 		s.stats.BackupFile = BackupFileStats{
@@ -546,92 +503,17 @@ func (s *script) copyBackup() error {
 		}
 	}
-	if s.minioClient != nil {
+	eg := errgroup.Group{}
-		if _, err := s.minioClient.FPutObject(context.Background(), s.c.AwsS3BucketName, filepath.Join(s.c.AwsS3Path, name), s.file, minio.PutObjectOptions{
+	for _, backend := range s.storages {
-			ContentType:  "application/tar+gzip",
+		b := backend
-			StorageClass: s.c.AwsStorageClass,
+		eg.Go(func() error {
-		}); err != nil {
+			return b.Copy(s.file)
-			return fmt.Errorf("copyBackup: error uploading backup to remote storage: %w", err)
+		})
-		}
+	}
-		s.logger.Infof("Uploaded a copy of backup `%s` to bucket `%s`.", s.file, s.c.AwsS3BucketName)
+	if err := eg.Wait(); err != nil {
 		return fmt.Errorf("copyArchive: error copying archive: %w", err)
 	}
 	if s.webdavClient != nil {
 		bytes, err := os.ReadFile(s.file)
 		if err != nil {
 			return fmt.Errorf("copyBackup: error reading the file to be uploaded: %w", err)
 		}
 		if err := s.webdavClient.MkdirAll(s.c.WebdavPath, 0644); err != nil {
 			return fmt.Errorf("copyBackup: error creating directory '%s' on WebDAV server: %w", s.c.WebdavPath, err)
 		}
 		if err := s.webdavClient.Write(filepath.Join(s.c.WebdavPath, name), bytes, 0644); err != nil {
 			return fmt.Errorf("copyBackup: error uploading the file to WebDAV server: %w", err)
 		}
 		s.logger.Infof("Uploaded a copy of backup `%s` to WebDAV-URL '%s' at path '%s'.", s.file, s.c.WebdavUrl, s.c.WebdavPath)
 	}
 	if s.sshClient != nil {
 		source, err := os.Open(s.file)
 		if err != nil {
 			return fmt.Errorf("copyBackup: error reading the file to be uploaded: %w", err)
 		}
 		defer source.Close()
 		destination, err := s.sftpClient.Create(filepath.Join(s.c.SSHRemotePath, name))
 		if err != nil {
 			return fmt.Errorf("copyBackup: error creating file on SSH storage: %w", err)
 		}
 		defer destination.Close()
 		chunk := make([]byte, 1000000)
 		for {
 			num, err := source.Read(chunk)
 			if err == io.EOF {
 				tot, err := destination.Write(chunk[:num])
 				if err != nil {
 					return fmt.Errorf("copyBackup: error uploading the file to SSH storage: %w", err)
 				}
 				if tot != len(chunk[:num]) {
 					return fmt.Errorf("sshClient: failed to write stream")
 				}
 				break
 			}
 			if err != nil {
 				return fmt.Errorf("copyBackup: error uploading the file to SSH storage: %w", err)
 			}
 			tot, err := destination.Write(chunk[:num])
 			if err != nil {
 				return fmt.Errorf("copyBackup: error uploading the file to SSH storage: %w", err)
 			}
 			if tot != len(chunk[:num]) {
 				return fmt.Errorf("sshClient: failed to write stream")
 			}
 		}
 		s.logger.Infof("Uploaded a copy of backup `%s` to SSH storage '%s' at path '%s'.", s.file, s.c.SSHHostName, s.c.SSHRemotePath)
 	}
 	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
 		if err := copyFile(s.file, path.Join(s.c.BackupArchive, name)); err != nil {
 			return fmt.Errorf("copyBackup: error copying file to local archive: %w", err)
 		}
 		s.logger.Infof("Stored copy of backup `%s` in local archive `%s`.", s.file, s.c.BackupArchive)
 		if s.c.BackupLatestSymlink != "" {
 			symlink := path.Join(s.c.BackupArchive, s.c.BackupLatestSymlink)
 			if _, err := os.Lstat(symlink); err == nil {
 				os.Remove(symlink)
 			}
 			if err := os.Symlink(name, symlink); err != nil {
 				return fmt.Errorf("copyBackup: error creating latest symlink: %w", err)
 			}
 			s.logger.Infof("Created/Updated symlink `%s` for latest backup.", s.c.BackupLatestSymlink)
 		}
 	}
 	return nil
 }
@@ -645,208 +527,28 @@ func (s *script) pruneBackups() error {
 	deadline := time.Now().AddDate(0, 0, -int(s.c.BackupRetentionDays)).Add(s.c.BackupPruningLeeway)
-	// doPrune holds general control flow that applies to any kind of storage.
+	eg := errgroup.Group{}
-	// Callers can pass in a thunk that performs the actual deletion of files.
+	for _, backend := range s.storages {
-	var doPrune = func(lenMatches, lenCandidates int, description string, doRemoveFiles func() error) error {
+		b := backend
-		if lenMatches != 0 && lenMatches != lenCandidates {
+		eg.Go(func() error {
-			if err := doRemoveFiles(); err != nil {
+			stats, err := b.Prune(deadline, s.c.BackupPruningPrefix)
 			if err != nil {
 				return err
 			}
-			s.logger.Infof(
+			s.stats.Lock()
-				"Pruned %d out of %d %s as their age exceeded the configured retention period of %d days.",
+			s.stats.Storages[b.Name()] = StorageStats{
-				lenMatches,
+				Total:  stats.Total,
-				lenCandidates,
+				Pruned: stats.Pruned,
 				description,
 				s.c.BackupRetentionDays,
 			)
 		} else if lenMatches != 0 && lenMatches == lenCandidates {
 			s.logger.Warnf("The current configuration would delete all %d existing %s.", lenMatches, description)
 			s.logger.Warn("Refusing to do so, please check your configuration.")
 		} else {
 			s.logger.Infof("None of %d existing %s were pruned.", lenCandidates, description)
 		}
 		return nil
 	}
 	if s.minioClient != nil {
 		candidates := s.minioClient.ListObjects(context.Background(), s.c.AwsS3BucketName, minio.ListObjectsOptions{
 			WithMetadata: true,
 			Prefix:       filepath.Join(s.c.AwsS3Path, s.c.BackupPruningPrefix),
 			Recursive:    true,
 		})
 		var matches []minio.ObjectInfo
 		var lenCandidates int
 		for candidate := range candidates {
 			lenCandidates++
 			if candidate.Err != nil {
 				return fmt.Errorf(
 					"pruneBackups: error looking up candidates from remote storage: %w",
 					candidate.Err,
 				)
 			}
 			if candidate.LastModified.Before(deadline) {
 				matches = append(matches, candidate)
 			}
 		}
 		s.stats.Storages.S3 = StorageStats{
 			Total:  uint(lenCandidates),
 			Pruned: uint(len(matches)),
 		}
 		doPrune(len(matches), lenCandidates, "remote backup(s)", func() error {
 			objectsCh := make(chan minio.ObjectInfo)
 			go func() {
 				for _, match := range matches {
 					objectsCh <- match
 				}
 				close(objectsCh)
 			}()
 			errChan := s.minioClient.RemoveObjects(context.Background(), s.c.AwsS3BucketName, objectsCh, minio.RemoveObjectsOptions{})
 			var removeErrors []error
 			for result := range errChan {
 				if result.Err != nil {
 					removeErrors = append(removeErrors, result.Err)
 				}
 			}
 			if len(removeErrors) != 0 {
 				return join(removeErrors...)
 			}
 			s.stats.Unlock()
 			return nil
 		})
 	}
-	if s.webdavClient != nil {
+	if err := eg.Wait(); err != nil {
-		candidates, err := s.webdavClient.ReadDir(s.c.WebdavPath)
+		return fmt.Errorf("pruneBackups: error pruning backups: %w", err)
 		if err != nil {
 			return fmt.Errorf("pruneBackups: error looking up candidates from remote storage: %w", err)
 		}
 		var matches []fs.FileInfo
 		var lenCandidates int
 		for _, candidate := range candidates {
 			if !strings.HasPrefix(candidate.Name(), s.c.BackupPruningPrefix) {
 				continue
 			}
 			lenCandidates++
 			if candidate.ModTime().Before(deadline) {
 				matches = append(matches, candidate)
 			}
 		}
 		s.stats.Storages.WebDAV = StorageStats{
 			Total:  uint(lenCandidates),
 			Pruned: uint(len(matches)),
 		}
 		doPrune(len(matches), lenCandidates, "WebDAV backup(s)", func() error {
 			for _, match := range matches {
 				if err := s.webdavClient.Remove(filepath.Join(s.c.WebdavPath, match.Name())); err != nil {
 					return fmt.Errorf("pruneBackups: error removing file from WebDAV storage: %w", err)
 				}
 			}
 			return nil
 		})
 	}
 	if s.sshClient != nil {
 		candidates, err := s.sftpClient.ReadDir(s.c.SSHRemotePath)
 		if err != nil {
 			return fmt.Errorf("pruneBackups: error reading directory from SSH storage: %w", err)
 		}
 		var matches []string
 		for _, candidate := range candidates {
 			if !strings.HasPrefix(candidate.Name(), s.c.BackupPruningPrefix) {
 				continue
 			}
 			if candidate.ModTime().Before(deadline) {
 				matches = append(matches, candidate.Name())
 			}
 		}
 		s.stats.Storages.SSH = StorageStats{
 			Total:  uint(len(candidates)),
 			Pruned: uint(len(matches)),
 		}
 		doPrune(len(matches), len(candidates), "SSH backup(s)", func() error {
 			for _, match := range matches {
 				if err := s.sftpClient.Remove(filepath.Join(s.c.SSHRemotePath, match)); err != nil {
 					return fmt.Errorf("pruneBackups: error removing file from SSH storage: %w", err)
 				}
 			}
 			return nil
 		})
 	}
 	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
 		globPattern := path.Join(
 			s.c.BackupArchive,
 			fmt.Sprintf("%s*", s.c.BackupPruningPrefix),
 		)
 		globMatches, err := filepath.Glob(globPattern)
 		if err != nil {
 			return fmt.Errorf(
 				"pruneBackups: error looking up matching files using pattern %s: %w",
 				globPattern,
 				err,
 			)
 		}
 		var candidates []string
 		for _, candidate := range globMatches {
 			fi, err := os.Lstat(candidate)
 			if err != nil {
 				return fmt.Errorf(
 					"pruneBackups: error calling Lstat on file %s: %w",
 					candidate,
 					err,
 				)
 			}
 			if fi.Mode()&os.ModeSymlink != os.ModeSymlink {
 				candidates = append(candidates, candidate)
 			}
 		}
 		var matches []string
 		for _, candidate := range candidates {
 			fi, err := os.Stat(candidate)
 			if err != nil {
 				return fmt.Errorf(
 					"pruneBackups: error calling stat on file %s: %w",
 					candidate,
 					err,
 				)
 			}
 			if fi.ModTime().Before(deadline) {
 				matches = append(matches, candidate)
 			}
 		}
 		s.stats.Storages.Local = StorageStats{
 			Total:  uint(len(candidates)),
 			Pruned: uint(len(matches)),
 		}
 		doPrune(len(matches), len(candidates), "local backup(s)", func() error {
 			var removeErrors []error
 			for _, match := range matches {
 				if err := os.Remove(match); err != nil {
 					removeErrors = append(removeErrors, err)
 				}
 			}
 			if len(removeErrors) != 0 {
 				return fmt.Errorf(
 					"pruneBackups: %d error(s) deleting local files, starting with: %w",
 					len(removeErrors),
 					join(removeErrors...),
 				)
 			}
 			return nil
 		})
 	}
 	return nil
 }
--- a/cmd/backup/stats.go
+++ b/cmd/backup/stats.go
@@ -5,6 +5,7 @@ package main
 import (
 	"bytes"
 	"sync"
 	"time"
 )
@@ -30,16 +31,9 @@ type StorageStats struct {
 	PruneErrors uint
 }
 // StoragesStats stats about each possible archival location (Local, WebDAV, SSH, S3)
 type StoragesStats struct {
 	Local  StorageStats
 	WebDAV StorageStats
 	SSH    StorageStats
 	S3     StorageStats
 }
 // Stats global stats regarding script execution
 type Stats struct {
 	sync.Mutex
 	StartTime  time.Time
 	EndTime    time.Time
 	TookTime   time.Duration
@@ -47,5 +41,5 @@ type Stats struct {
 	LogOutput  *bytes.Buffer
 	Containers ContainersStats
 	BackupFile BackupFileStats
-	Storages   StoragesStats
+	Storages   map[string]StorageStats
 }
--- a/cmd/backup/util.go
+++ b/cmd/backup/util.go
@@ -5,51 +5,13 @@ package main
 import (
 	"bytes"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"strings"
 )
 var noop = func() error { return nil }
 // copy creates a copy of the file located at `dst` at `src`.
 func copyFile(src, dst string) error {
 	in, err := os.Open(src)
 	if err != nil {
 		return err
 	}
 	defer in.Close()
 	out, err := os.Create(dst)
 	if err != nil {
 		return err
 	}
 	_, err = io.Copy(out, in)
 	if err != nil {
 		out.Close()
 		return err
 	}
 	return out.Close()
 }
 // join takes a list of errors and joins them into a single error
 func join(errs ...error) error {
 	if len(errs) == 1 {
 		return errs[0]
 	}
 	var msgs []string
 	for _, err := range errs {
 		if err == nil {
 			continue
 		}
 		msgs = append(msgs, err.Error())
 	}
 	return errors.New("[" + strings.Join(msgs, ", ") + "]")
 }
 // remove removes the given file or directory from disk.
 func remove(location string) error {
 	fi, err := os.Lstat(location)
@@ -84,7 +46,7 @@ type bufferingWriter struct {
 func (b *bufferingWriter) Write(p []byte) (n int, err error) {
 	if n, err := b.buf.Write(p); err != nil {
-		return n, fmt.Errorf("bufferingWriter: error writing to buffer: %w", err)
+		return n, fmt.Errorf("(*bufferingWriter).Write: error writing to buffer: %w", err)
 	}
 	return b.writer.Write(p)
 }
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -13,6 +13,7 @@ if [ ! -d "/etc/dockervolumebackup/conf.d" ]; then
 else
  echo "/etc/dockervolumebackup/conf.d was found, using configuration files from this directory."
  crontab -r && crontab /dev/null
  for file in /etc/dockervolumebackup/conf.d/*; do
    source $file
    BACKUP_CRON_EXPRESSION="${BACKUP_CRON_EXPRESSION:-@daily}"
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/offen/docker-volume-backup
-go 1.18
+go 1.19
 require (
 	github.com/containrrr/shoutrrr v0.5.2
@@ -9,12 +9,12 @@ require (
 	github.com/gofrs/flock v0.8.1
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/leekchan/timeutil v0.0.0-20150802142658-28917288c48d
-	github.com/minio/minio-go/v7 v7.0.16
+	github.com/minio/minio-go/v7 v7.0.44
 	github.com/otiai10/copy v1.7.0
 	github.com/pkg/sftp v1.13.5
-	github.com/sirupsen/logrus v1.8.1
+	github.com/sirupsen/logrus v1.9.0
 	github.com/studio-b12/gowebdav v0.0.0-20220128162035-c7b1ff8a5e62
-	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
+	golang.org/x/crypto v0.3.0
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
 )
@@ -32,15 +32,14 @@ require (
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gorilla/mux v1.7.3 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.15.6 // indirect
+	github.com/klauspost/compress v1.15.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.0.9 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.1 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/mattn/go-colorable v0.1.8 // indirect
 	github.com/mattn/go-isatty v0.0.12 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/minio/sha256-simd v1.0.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/moby/term v0.0.0-20200312100748-672ec06f55cd // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -52,16 +51,16 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/rs/xid v1.3.0 // indirect
+	github.com/rs/xid v1.4.0 // indirect
-	golang.org/x/net v0.0.0-20220607020251-c690dde0001d // indirect
+	golang.org/x/net v0.2.0 // indirect
-	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
+	golang.org/x/sys v0.2.0 // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/text v0.4.0 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	google.golang.org/genproto v0.0.0-20220602131408-e326c6e8e9c8 // indirect
 	google.golang.org/grpc v1.47.0 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
-	gopkg.in/ini.v1 v1.65.0 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -146,7 +146,6 @@ github.com/jarcoal/httpmock v1.0.4 h1:jp+dy/+nonJE4g4xbVtl9QdrUNbn6/3hDT5R4nDIZn
 github.com/jarcoal/httpmock v1.0.4/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
@@ -158,15 +157,12 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.11.7/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.13.5/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
+github.com/klauspost/compress v1.15.12 h1:YClS/PImqYbn+UILDnqxQCZ3RehC9N318SU3kElDUEM=
-github.com/klauspost/compress v1.15.6 h1:6D9PcO8QWu0JyaQ2zUMmu16T1T+zjjEpP91guRsvDfY=
+github.com/klauspost/compress v1.15.12/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
 github.com/klauspost/compress v1.15.6/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
 github.com/klauspost/cpuid v1.2.3/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/klauspost/cpuid v1.3.1/go.mod h1:bYW4mA6ZgKPob1/Dlai2LviZJO7KGI3uoWLd42rAQw4=
 github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.0.9 h1:lgaqFMSdTdQYdZ04uHyN2d/eKdOMyi2YLSvlQIBFYa4=
+github.com/klauspost/cpuid/v2 v2.2.1 h1:U33DW0aiEj633gHYw3LoDNfkDiYnE5Q8M/TKJn2f2jI=
-github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/klauspost/cpuid/v2 v2.2.1/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
 github.com/knq/sysutil v0.0.0-20181215143952-f05b59f0f307/go.mod h1:BjPj+aVjl9FW/cCGiF3nGh5v+9Gd3VCgBQbod/GlMaQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -198,15 +194,12 @@ github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2y
 github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/minio/md5-simd v1.1.0/go.mod h1:XpBqgZULrMYD3R+M28PcmP0CkI7PEMzB3U77ZrKZ0Gw=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
-github.com/minio/minio-go/v7 v7.0.16 h1:GspaSBS8lOuEUCAqMe0W3UxSoyOA4b4F8PTspRVI+k4=
+github.com/minio/minio-go/v7 v7.0.44 h1:9zUJ7iU7ax2P1jOvTp6nVrgzlZq3AZlFm0XfRFDKstM=
-github.com/minio/minio-go/v7 v7.0.16/go.mod h1:pUV0Pc+hPd1nccgmzQF/EXh48l/Z/yps6QPF1aaie4g=
+github.com/minio/minio-go/v7 v7.0.44/go.mod h1:nCrRzjoSUQh8hgKKtu3Y708OLvRLtuASMg2/nvmbarw=
 github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM=
 github.com/minio/sha256-simd v1.0.0 h1:v1ta+49hkWZyvaKwrQB8elexRqm6Y0aMLjCNsrYxo6g=
 github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy5RFepssQM=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.2.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
@@ -271,17 +264,16 @@ github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7z
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
+github.com/rs/xid v1.4.0 h1:qd7wPTDkN6KQx2VmMBLrpHkiyQwgFXRnkOLacUiaSNY=
-github.com/rs/xid v1.3.0 h1:6NjYksEUlhurdVehpc7S7dk6DAmcKv8V9gG0FsVN2U4=
+github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/xid v1.3.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.0.5/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
+github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
-github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
@@ -329,9 +321,9 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -353,14 +345,13 @@ golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220607020251-c690dde0001d h1:4SFsTMi4UahlKoloni7L4eYzhFRifURQLw+yv0QDCx8=
+golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
-golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -394,7 +385,6 @@ golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210113181707-4bcb84eeeb78/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -405,18 +395,19 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k=
+golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
+golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs=
@@ -479,9 +470,8 @@ gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMy
 gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.55.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ini.v1 v1.57.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
-gopkg.in/ini.v1 v1.65.0 h1:B2//IEITFk89S+Nl2tozBeqUvFEpUAY6daarSlrx8jU=
+gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.65.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
--- a/internal/storage/local/local.go
+++ b/internal/storage/local/local.go
@@ -0,0 +1,160 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package local
 import (
 	"fmt"
 	"io"
 	"os"
 	"path"
 	"path/filepath"
 	"time"
 	"github.com/offen/docker-volume-backup/internal/storage"
 	"github.com/offen/docker-volume-backup/internal/utilities"
 )
 type localStorage struct {
 	*storage.StorageBackend
 	latestSymlink string
 }
 // Config allows configuration of a local storage backend.
 type Config struct {
 	ArchivePath   string
 	LatestSymlink string
 }
 // NewStorageBackend creates and initializes a new local storage backend.
 func NewStorageBackend(opts Config, logFunc storage.Log) storage.Backend {
 	return &localStorage{
 		StorageBackend: &storage.StorageBackend{
 			DestinationPath: opts.ArchivePath,
 			Log:             logFunc,
 		},
 		latestSymlink: opts.LatestSymlink,
 	}
 }
 // Name return the name of the storage backend
 func (b *localStorage) Name() string {
 	return "Local"
 }
 // Copy copies the given file to the local storage backend.
 func (b *localStorage) Copy(file string) error {
 	_, name := path.Split(file)
 	if err := copyFile(file, path.Join(b.DestinationPath, name)); err != nil {
 		return fmt.Errorf("(*localStorage).Copy: Error copying file to local archive: %w", err)
 	}
 	b.Log(storage.LogLevelInfo, b.Name(), "Stored copy of backup `%s` in local archive `%s`.", file, b.DestinationPath)
 	if b.latestSymlink != "" {
 		symlink := path.Join(b.DestinationPath, b.latestSymlink)
 		if _, err := os.Lstat(symlink); err == nil {
 			os.Remove(symlink)
 		}
 		if err := os.Symlink(name, symlink); err != nil {
 			return fmt.Errorf("(*localStorage).Copy: error creating latest symlink: %w", err)
 		}
 		b.Log(storage.LogLevelInfo, b.Name(), "Created/Updated symlink `%s` for latest backup.", b.latestSymlink)
 	}
 	return nil
 }
 // Prune rotates away backups according to the configuration and provided deadline for the local storage backend.
 func (b *localStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	globPattern := path.Join(
 		b.DestinationPath,
 		fmt.Sprintf("%s*", pruningPrefix),
 	)
 	globMatches, err := filepath.Glob(globPattern)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"(*localStorage).Prune: Error looking up matching files using pattern %s: %w",
 			globPattern,
 			err,
 		)
 	}
 	var candidates []string
 	for _, candidate := range globMatches {
 		fi, err := os.Lstat(candidate)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"(*localStorage).Prune: Error calling Lstat on file %s: %w",
 				candidate,
 				err,
 			)
 		}
 		if fi.Mode()&os.ModeSymlink != os.ModeSymlink {
 			candidates = append(candidates, candidate)
 		}
 	}
 	var matches []string
 	for _, candidate := range candidates {
 		fi, err := os.Stat(candidate)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"(*localStorage).Prune: Error calling stat on file %s: %w",
 				candidate,
 				err,
 			)
 		}
 		if fi.ModTime().Before(deadline) {
 			matches = append(matches, candidate)
 		}
 	}
 	stats := &storage.PruneStats{
 		Total:  uint(len(candidates)),
 		Pruned: uint(len(matches)),
 	}
 	if err := b.DoPrune(b.Name(), len(matches), len(candidates), "local backup(s)", func() error {
 		var removeErrors []error
 		for _, match := range matches {
 			if err := os.Remove(match); err != nil {
 				removeErrors = append(removeErrors, err)
 			}
 		}
 		if len(removeErrors) != 0 {
 			return fmt.Errorf(
 				"(*localStorage).Prune: %d error(s) deleting local files, starting with: %w",
 				len(removeErrors),
 				utilities.Join(removeErrors...),
 			)
 		}
 		return nil
 	}); err != nil {
 		return stats, err
 	}
 	return stats, nil
 }
 // copy creates a copy of the file located at `dst` at `src`.
 func copyFile(src, dst string) error {
 	in, err := os.Open(src)
 	if err != nil {
 		return err
 	}
 	defer in.Close()
 	out, err := os.Create(dst)
 	if err != nil {
 		return err
 	}
 	_, err = io.Copy(out, in)
 	if err != nil {
 		out.Close()
 		return err
 	}
 	return out.Close()
 }
--- a/internal/storage/s3/s3.go
+++ b/internal/storage/s3/s3.go
@@ -0,0 +1,170 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package s3
 import (
 	"context"
 	"crypto/x509"
 	"errors"
 	"fmt"
 	"path"
 	"path/filepath"
 	"time"
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
 	"github.com/offen/docker-volume-backup/internal/storage"
 	"github.com/offen/docker-volume-backup/internal/utilities"
 )
 type s3Storage struct {
 	*storage.StorageBackend
 	client       *minio.Client
 	bucket       string
 	storageClass string
 }
 // Config contains values that define the configuration of a S3 backend.
 type Config struct {
 	Endpoint         string
 	AccessKeyID      string
 	SecretAccessKey  string
 	IamRoleEndpoint  string
 	EndpointProto    string
 	EndpointInsecure bool
 	RemotePath       string
 	BucketName       string
 	StorageClass     string
 	CACert           *x509.Certificate
 }
 // NewStorageBackend creates and initializes a new S3/Minio storage backend.
 func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
 	var creds *credentials.Credentials
 	if opts.AccessKeyID != "" && opts.SecretAccessKey != "" {
 		creds = credentials.NewStaticV4(
 			opts.AccessKeyID,
 			opts.SecretAccessKey,
 			"",
 		)
 	} else if opts.IamRoleEndpoint != "" {
 		creds = credentials.NewIAM(opts.IamRoleEndpoint)
 	} else {
 		return nil, errors.New("NewStorageBackend: AWS_S3_BUCKET_NAME is defined, but no credentials were provided")
 	}
 	options := minio.Options{
 		Creds:  creds,
 		Secure: opts.EndpointProto == "https",
 	}
 	transport, err := minio.DefaultTransport(true)
 	if err != nil {
 		return nil, fmt.Errorf("NewStorageBackend: failed to create default minio transport: %w", err)
 	}
 	if opts.EndpointInsecure {
 		if !options.Secure {
 			return nil, errors.New("NewStorageBackend: AWS_ENDPOINT_INSECURE = true is only meaningful for https")
 		}
 		transport.TLSClientConfig.InsecureSkipVerify = true
 	} else if opts.CACert != nil {
 		if transport.TLSClientConfig.RootCAs == nil {
 			transport.TLSClientConfig.RootCAs = x509.NewCertPool()
 		}
 		transport.TLSClientConfig.RootCAs.AddCert(opts.CACert)
 	}
 	options.Transport = transport
 	mc, err := minio.New(opts.Endpoint, &options)
 	if err != nil {
 		return nil, fmt.Errorf("NewStorageBackend: error setting up minio client: %w", err)
 	}
 	return &s3Storage{
 		StorageBackend: &storage.StorageBackend{
 			DestinationPath: opts.RemotePath,
 			Log:             logFunc,
 		},
 		client:       mc,
 		bucket:       opts.BucketName,
 		storageClass: opts.StorageClass,
 	}, nil
 }
 // Name returns the name of the storage backend
 func (v *s3Storage) Name() string {
 	return "S3"
 }
 // Copy copies the given file to the S3/Minio storage backend.
 func (b *s3Storage) Copy(file string) error {
 	_, name := path.Split(file)
 	if _, err := b.client.FPutObject(context.Background(), b.bucket, filepath.Join(b.DestinationPath, name), file, minio.PutObjectOptions{
 		ContentType:  "application/tar+gzip",
 		StorageClass: b.storageClass,
 	}); err != nil {
 		if errResp := minio.ToErrorResponse(err); errResp.Message != "" {
 			return fmt.Errorf("(*s3Storage).Copy: error uploading backup to remote storage: [Message]: '%s', [Code]: %s, [StatusCode]: %d", errResp.Message, errResp.Code, errResp.StatusCode)
 		}
 		return fmt.Errorf("(*s3Storage).Copy: error uploading backup to remote storage: %w", err)
 	}
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup `%s` to bucket `%s`.", file, b.bucket)
 	return nil
 }
 // Prune rotates away backups according to the configuration and provided deadline for the S3/Minio storage backend.
 func (b *s3Storage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	candidates := b.client.ListObjects(context.Background(), b.bucket, minio.ListObjectsOptions{
 		Prefix:    filepath.Join(b.DestinationPath, pruningPrefix),
 		Recursive: true,
 	})
 	var matches []minio.ObjectInfo
 	var lenCandidates int
 	for candidate := range candidates {
 		lenCandidates++
 		if candidate.Err != nil {
 			return nil, fmt.Errorf(
 				"(*s3Storage).Prune: Error looking up candidates from remote storage! %w",
 				candidate.Err,
 			)
 		}
 		if candidate.LastModified.Before(deadline) {
 			matches = append(matches, candidate)
 		}
 	}
 	stats := &storage.PruneStats{
 		Total:  uint(lenCandidates),
 		Pruned: uint(len(matches)),
 	}
 	if err := b.DoPrune(b.Name(), len(matches), lenCandidates, "remote backup(s)", func() error {
 		objectsCh := make(chan minio.ObjectInfo)
 		go func() {
 			for _, match := range matches {
 				objectsCh <- match
 			}
 			close(objectsCh)
 		}()
 		errChan := b.client.RemoveObjects(context.Background(), b.bucket, objectsCh, minio.RemoveObjectsOptions{})
 		var removeErrors []error
 		for result := range errChan {
 			if result.Err != nil {
 				removeErrors = append(removeErrors, result.Err)
 			}
 		}
 		if len(removeErrors) != 0 {
 			return utilities.Join(removeErrors...)
 		}
 		return nil
 	}); err != nil {
 		return stats, err
 	}
 	return stats, nil
 }
--- a/internal/storage/ssh/ssh.go
+++ b/internal/storage/ssh/ssh.go
@@ -0,0 +1,190 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package ssh
 import (
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/offen/docker-volume-backup/internal/storage"
 	"github.com/pkg/sftp"
 	"golang.org/x/crypto/ssh"
 )
 type sshStorage struct {
 	*storage.StorageBackend
 	client     *ssh.Client
 	sftpClient *sftp.Client
 	hostName   string
 }
 // Config allows to configure a SSH backend.
 type Config struct {
 	HostName           string
 	Port               string
 	User               string
 	Password           string
 	IdentityFile       string
 	IdentityPassphrase string
 	RemotePath         string
 }
 // NewStorageBackend creates and initializes a new SSH storage backend.
 func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
 	var authMethods []ssh.AuthMethod
 	if opts.Password != "" {
 		authMethods = append(authMethods, ssh.Password(opts.Password))
 	}
 	if _, err := os.Stat(opts.IdentityFile); err == nil {
 		key, err := ioutil.ReadFile(opts.IdentityFile)
 		if err != nil {
 			return nil, errors.New("NewStorageBackend: error reading the private key")
 		}
 		var signer ssh.Signer
 		if opts.IdentityPassphrase != "" {
 			signer, err = ssh.ParsePrivateKeyWithPassphrase(key, []byte(opts.IdentityPassphrase))
 			if err != nil {
 				return nil, errors.New("NewStorageBackend: error parsing the encrypted private key")
 			}
 			authMethods = append(authMethods, ssh.PublicKeys(signer))
 		} else {
 			signer, err = ssh.ParsePrivateKey(key)
 			if err != nil {
 				return nil, errors.New("NewStorageBackend: error parsing the private key")
 			}
 			authMethods = append(authMethods, ssh.PublicKeys(signer))
 		}
 	}
 	sshClientConfig := &ssh.ClientConfig{
 		User:            opts.User,
 		Auth:            authMethods,
 		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
 	}
 	sshClient, err := ssh.Dial("tcp", fmt.Sprintf("%s:%s", opts.HostName, opts.Port), sshClientConfig)
 	if err != nil {
 		return nil, fmt.Errorf("NewStorageBackend: Error creating ssh client: %w", err)
 	}
 	_, _, err = sshClient.SendRequest("keepalive", false, nil)
 	if err != nil {
 		return nil, err
 	}
 	sftpClient, err := sftp.NewClient(sshClient)
 	if err != nil {
 		return nil, fmt.Errorf("NewStorageBackend: error creating sftp client: %w", err)
 	}
 	return &sshStorage{
 		StorageBackend: &storage.StorageBackend{
 			DestinationPath: opts.RemotePath,
 			Log:             logFunc,
 		},
 		client:     sshClient,
 		sftpClient: sftpClient,
 		hostName:   opts.HostName,
 	}, nil
 }
 // Name returns the name of the storage backend
 func (b *sshStorage) Name() string {
 	return "SSH"
 }
 // Copy copies the given file to the SSH storage backend.
 func (b *sshStorage) Copy(file string) error {
 	source, err := os.Open(file)
 	_, name := path.Split(file)
 	if err != nil {
 		return fmt.Errorf("(*sshStorage).Copy: Error reading the file to be uploaded: %w", err)
 	}
 	defer source.Close()
 	destination, err := b.sftpClient.Create(filepath.Join(b.DestinationPath, name))
 	if err != nil {
 		return fmt.Errorf("(*sshStorage).Copy: Error creating file on SSH storage: %w", err)
 	}
 	defer destination.Close()
 	chunk := make([]byte, 1000000)
 	for {
 		num, err := source.Read(chunk)
 		if err == io.EOF {
 			tot, err := destination.Write(chunk[:num])
 			if err != nil {
 				return fmt.Errorf("(*sshStorage).Copy: Error uploading the file to SSH storage: %w", err)
 			}
 			if tot != len(chunk[:num]) {
 				return errors.New("(*sshStorage).Copy: failed to write stream")
 			}
 			break
 		}
 		if err != nil {
 			return fmt.Errorf("(*sshStorage).Copy: Error uploading the file to SSH storage: %w", err)
 		}
 		tot, err := destination.Write(chunk[:num])
 		if err != nil {
 			return fmt.Errorf("(*sshStorage).Copy: Error uploading the file to SSH storage: %w", err)
 		}
 		if tot != len(chunk[:num]) {
 			return fmt.Errorf("(*sshStorage).Copy: failed to write stream")
 		}
 	}
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup `%s` to SSH storage '%s' at path '%s'.", file, b.hostName, b.DestinationPath)
 	return nil
 }
 // Prune rotates away backups according to the configuration and provided deadline for the SSH storage backend.
 func (b *sshStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	candidates, err := b.sftpClient.ReadDir(b.DestinationPath)
 	if err != nil {
 		return nil, fmt.Errorf("(*sshStorage).Prune: Error reading directory from SSH storage: %w", err)
 	}
 	var matches []string
 	for _, candidate := range candidates {
 		if !strings.HasPrefix(candidate.Name(), pruningPrefix) {
 			continue
 		}
 		if candidate.ModTime().Before(deadline) {
 			matches = append(matches, candidate.Name())
 		}
 	}
 	stats := &storage.PruneStats{
 		Total:  uint(len(candidates)),
 		Pruned: uint(len(matches)),
 	}
 	if err := b.DoPrune(b.Name(), len(matches), len(candidates), "SSH backup(s)", func() error {
 		for _, match := range matches {
 			if err := b.sftpClient.Remove(filepath.Join(b.DestinationPath, match)); err != nil {
 				return fmt.Errorf("(*sshStorage).Prune: Error removing file from SSH storage: %w", err)
 			}
 		}
 		return nil
 	}); err != nil {
 		return stats, err
 	}
 	return stats, nil
 }
--- a/internal/storage/storage.go
+++ b/internal/storage/storage.go
@@ -0,0 +1,61 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package storage
 import (
 	"time"
 )
 // Backend is an interface for defining functions which all storage providers support.
 type Backend interface {
 	Copy(file string) error
 	Prune(deadline time.Time, pruningPrefix string) (*PruneStats, error)
 	Name() string
 }
 // StorageBackend is a generic type of storage. Everything here are common properties of all storage types.
 type StorageBackend struct {
 	DestinationPath string
 	RetentionDays   int
 	Log             Log
 }
 type LogLevel int
 const (
 	LogLevelInfo LogLevel = iota
 	LogLevelWarning
 	LogLevelError
 )
 type Log func(logType LogLevel, context string, msg string, params ...interface{})
 // PruneStats is a wrapper struct for returning stats after pruning
 type PruneStats struct {
 	Total  uint
 	Pruned uint
 }
 // DoPrune holds general control flow that applies to any kind of storage.
 // Callers can pass in a thunk that performs the actual deletion of files.
 func (b *StorageBackend) DoPrune(context string, lenMatches, lenCandidates int, description string, doRemoveFiles func() error) error {
 	if lenMatches != 0 && lenMatches != lenCandidates {
 		if err := doRemoveFiles(); err != nil {
 			return err
 		}
 		b.Log(LogLevelInfo, context,
 			"Pruned %d out of %d %s as their age exceeded the configured retention period of %d days.",
 			lenMatches,
 			lenCandidates,
 			description,
 			b.RetentionDays,
 		)
 	} else if lenMatches != 0 && lenMatches == lenCandidates {
 		b.Log(LogLevelWarning, context, "The current configuration would delete all %d existing %s.", lenMatches, description)
 		b.Log(LogLevelWarning, context, "Refusing to do so, please check your configuration.")
 	} else {
 		b.Log(LogLevelInfo, context, "None of %d existing %s were pruned.", lenCandidates, description)
 	}
 	return nil
 }
--- a/internal/storage/webdav/webdav.go
+++ b/internal/storage/webdav/webdav.go
@@ -0,0 +1,121 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package webdav
 import (
 	"errors"
 	"fmt"
 	"io/fs"
 	"net/http"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/offen/docker-volume-backup/internal/storage"
 	"github.com/studio-b12/gowebdav"
 )
 type webDavStorage struct {
 	*storage.StorageBackend
 	client *gowebdav.Client
 	url    string
 }
 // Config allows to configure a WebDAV storage backend.
 type Config struct {
 	URL         string
 	RemotePath  string
 	Username    string
 	Password    string
 	URLInsecure bool
 }
 // NewStorageBackend creates and initializes a new WebDav storage backend.
 func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
 	if opts.Username == "" || opts.Password == "" {
 		return nil, errors.New("NewStorageBackend: WEBDAV_URL is defined, but no credentials were provided")
 	} else {
 		webdavClient := gowebdav.NewClient(opts.URL, opts.Username, opts.Password)
 		if opts.URLInsecure {
 			defaultTransport, ok := http.DefaultTransport.(*http.Transport)
 			if !ok {
 				return nil, errors.New("NewStorageBackend: unexpected error when asserting type for http.DefaultTransport")
 			}
 			webdavTransport := defaultTransport.Clone()
 			webdavTransport.TLSClientConfig.InsecureSkipVerify = opts.URLInsecure
 			webdavClient.SetTransport(webdavTransport)
 		}
 		return &webDavStorage{
 			StorageBackend: &storage.StorageBackend{
 				DestinationPath: opts.RemotePath,
 				Log:             logFunc,
 			},
 			client: webdavClient,
 		}, nil
 	}
 }
 // Name returns the name of the storage backend
 func (b *webDavStorage) Name() string {
 	return "WebDAV"
 }
 // Copy copies the given file to the WebDav storage backend.
 func (b *webDavStorage) Copy(file string) error {
 	bytes, err := os.ReadFile(file)
 	_, name := path.Split(file)
 	if err != nil {
 		return fmt.Errorf("(*webDavStorage).Copy: Error reading the file to be uploaded: %w", err)
 	}
 	if err := b.client.MkdirAll(b.DestinationPath, 0644); err != nil {
 		return fmt.Errorf("(*webDavStorage).Copy: Error creating directory '%s' on WebDAV server: %w", b.DestinationPath, err)
 	}
 	if err := b.client.Write(filepath.Join(b.DestinationPath, name), bytes, 0644); err != nil {
 		return fmt.Errorf("(*webDavStorage).Copy: Error uploading the file to WebDAV server: %w", err)
 	}
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup '%s' to WebDAV URL '%s' at path '%s'.", file, b.url, b.DestinationPath)
 	return nil
 }
 // Prune rotates away backups according to the configuration and provided deadline for the WebDav storage backend.
 func (b *webDavStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	candidates, err := b.client.ReadDir(b.DestinationPath)
 	if err != nil {
 		return nil, fmt.Errorf("(*webDavStorage).Prune: Error looking up candidates from remote storage: %w", err)
 	}
 	var matches []fs.FileInfo
 	var lenCandidates int
 	for _, candidate := range candidates {
 		if !strings.HasPrefix(candidate.Name(), pruningPrefix) {
 			continue
 		}
 		lenCandidates++
 		if candidate.ModTime().Before(deadline) {
 			matches = append(matches, candidate)
 		}
 	}
 	stats := &storage.PruneStats{
 		Total:  uint(lenCandidates),
 		Pruned: uint(len(matches)),
 	}
 	if err := b.DoPrune(b.Name(), len(matches), lenCandidates, "WebDAV backup(s)", func() error {
 		for _, match := range matches {
 			if err := b.client.Remove(filepath.Join(b.DestinationPath, match.Name())); err != nil {
 				return fmt.Errorf("(*webDavStorage).Prune: Error removing file from WebDAV storage: %w", err)
 			}
 		}
 		return nil
 	}); err != nil {
 		return stats, err
 	}
 	return stats, nil
 }
--- a/internal/utilities/util.go
+++ b/internal/utilities/util.go
@@ -0,0 +1,24 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package utilities
 import (
 	"errors"
 	"strings"
 )
 // Join takes a list of errors and joins them into a single error
 func Join(errs ...error) error {
 	if len(errs) == 1 {
 		return errs[0]
 	}
 	var msgs []string
 	for _, err := range errs {
 		if err == nil {
 			continue
 		}
 		msgs = append(msgs, err.Error())
 	}
 	return errors.New("[" + strings.Join(msgs, ", ") + "]")
 }
--- a/test/certs/docker-compose.yml
+++ b/test/certs/docker-compose.yml
@@ -0,0 +1,48 @@
 version: '3'
 services:
  minio:
    hostname: minio.local
    image: minio/minio:RELEASE.2020-08-04T23-10-51Z
    environment:
      MINIO_ROOT_USER: test
      MINIO_ROOT_PASSWORD: test
      MINIO_ACCESS_KEY: test
      MINIO_SECRET_KEY: GMusLtUmILge2by+z890kQ
    entrypoint: /bin/ash -c 'mkdir -p /data/backup && minio server --certs-dir "/certs" --address ":443" /data'
    volumes:
      - minio_backup_data:/data
      - ./minio.crt:/certs/public.crt
      - ./minio.key:/certs/private.key
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    depends_on:
      - minio
    restart: always
    environment:
      BACKUP_FILENAME: test.tar.gz
      AWS_ACCESS_KEY_ID: test
      AWS_SECRET_ACCESS_KEY: GMusLtUmILge2by+z890kQ
      AWS_ENDPOINT: minio.local:443
      AWS_ENDPOINT_CA_CERT: /root/minio-rootCA.crt
      AWS_S3_BUCKET_NAME: backup
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
      BACKUP_PRUNING_LEEWAY: 5s
    volumes:
      - app_data:/backup/app_data:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - ./rootCA.crt:/root/minio-rootCA.crt
  offen:
    image: offen/offen:latest
    labels:
      - docker-volume-backup.stop-during-backup=true
    volumes:
      - app_data:/var/opt/offen
 volumes:
  minio_backup_data:
    name: minio_backup_data
  app_data:
--- a/test/certs/run.sh
+++ b/test/certs/run.sh
@@ -0,0 +1,43 @@
 #!/bin/sh
 set -e
 cd "$(dirname "$0")"
 . ../util.sh
 current_test=$(basename $(pwd))
 openssl genrsa -des3 -passout pass:test -out rootCA.key 4096
 openssl req -passin pass:test \
  -subj "/C=DE/ST=BE/O=IntegrationTest, Inc." \
  -x509 -new -key rootCA.key -sha256 -days 1 -out rootCA.crt
 openssl genrsa -out minio.key 4096
 openssl req -new -sha256 -key minio.key \
  -subj "/C=DE/ST=BE/O=IntegrationTest, Inc./CN=minio" \
  -out minio.csr
 openssl x509 -req -passin pass:test \
  -in minio.csr \
  -CA rootCA.crt -CAkey rootCA.key -CAcreateserial \
  -extfile san.cnf \
  -out minio.crt -days 1 -sha256
 openssl x509 -in minio.crt -noout -text
 docker-compose up -d
 sleep 5
 docker-compose exec backup backup
 sleep 5
 expect_running_containers "3"
 docker run --rm -it \
  -v minio_backup_data:/minio_data \
  alpine \
  ash -c 'tar -xvf /minio_data/backup/test.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db'
 pass "Found relevant files in untared remote backups."
 docker-compose down --volumes
--- a/test/certs/san.cnf
+++ b/test/certs/san.cnf
@@ -0,0 +1 @@
 subjectAltName = DNS:minio.local
--- a/test/commands/docker-compose.yml
+++ b/test/commands/docker-compose.yml
@@ -10,12 +10,27 @@ services:
      MARIADB_ROOT_PASSWORD: test
      MARIADB_DATABASE: backup
    labels:
      # this is testing the deprecated label on purpose
      - docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump -ptest --all-databases > /tmp/volume/dump.sql'
-      - docker-volume-backup.exec-post=/bin/sh -c 'echo "post" > /tmp/volume/post.txt'
+      - docker-volume-backup.copy-post=/bin/sh -c 'echo "post" > /tmp/volume/post.txt'
      - docker-volume-backup.exec-label=test
    volumes:
      - app_data:/tmp/volume
  other_database:
    image: mariadb:10.7
    deploy:
      restart_policy:
        condition: on-failure
    environment:
      MARIADB_ROOT_PASSWORD: test
      MARIADB_DATABASE: backup
    labels:
      - docker-volume-backup.archive-pre=touch /tmp/volume/not-relevant.txt
      - docker-volume-backup.exec-label=not-relevant
    volumes:
      - app_data:/tmp/volume
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    deploy:
--- a/test/commands/run.sh
+++ b/test/commands/run.sh
@@ -18,6 +18,11 @@ if [ ! -f ./backup/data/dump.sql ]; then
 fi
 pass "Found expected file."
 if [ -f ./backup/data/not-relevant.txt ]; then
  fail "Command ran for container with other label."
 fi
 pass "Command did not run for container with other label."
 if [ -f ./backup/data/post.txt ]; then
  fail "File created in post command was present in backup."
 fi
--- a/test/gpg/docker-compose.yml
+++ b/test/gpg/docker-compose.yml
@@ -9,7 +9,7 @@ services:
      BACKUP_FILENAME: test.tar.gz
      BACKUP_LATEST_SYMLINK: test-latest.tar.gz.gpg
      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
-      GPG_PASSPHRASE: 1234secret
+      GPG_PASSPHRASE: 1234#$$ecret
    volumes:
      - ./local:/archive
      - app_data:/backup/app_data:ro
--- a/test/gpg/run.sh
+++ b/test/gpg/run.sh
@@ -17,9 +17,8 @@ expect_running_containers "2"
 tmp_dir=$(mktemp -d)
-echo 1234secret | gpg -d --pinentry-mode loopback --yes --passphrase-fd 0 ./local/test.tar.gz.gpg > ./local/decrypted.tar.gz
+echo "1234#\$ecret" | gpg -d --pinentry-mode loopback --yes --passphrase-fd 0 ./local/test.tar.gz.gpg > ./local/decrypted.tar.gz
 tar -xf ./local/decrypted.tar.gz -C $tmp_dir
 ls -lah $tmp_dir
 if [ ! -f $tmp_dir/backup/app_data/offen.db ]; then
  fail "Could not find expected file in untared archive."
 fi
--- a/test/secrets/docker-compose.yml
+++ b/test/secrets/docker-compose.yml
@@ -0,0 +1,78 @@
 # Copyright 2020-2021 - Offen Authors <hioffen@posteo.de>
 # SPDX-License-Identifier: Unlicense
 version: '3.8'
 services:
  minio:
    image: minio/minio:RELEASE.2020-08-04T23-10-51Z
    deploy:
      restart_policy:
        condition: on-failure
    environment:
      MINIO_ROOT_USER: test
      MINIO_ROOT_PASSWORD: test
      MINIO_ACCESS_KEY: test
      MINIO_SECRET_KEY: GMusLtUmILge2by+z890kQ
    entrypoint: /bin/ash -c 'mkdir -p /data/backup && minio server /data'
    volumes:
      - backup_data:/data
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    depends_on:
      - minio
    deploy:
      restart_policy:
        condition: on-failure
    environment:
      AWS_ACCESS_KEY_ID_FILE: /run/secrets/minio_root_user
      AWS_SECRET_ACCESS_KEY_FILE: /run/secrets/minio_root_password
      AWS_ENDPOINT: minio:9000
      AWS_ENDPOINT_PROTO: http
      AWS_S3_BUCKET_NAME: backup
      BACKUP_FILENAME: test.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      BACKUP_RETENTION_DAYS: 7
      BACKUP_PRUNING_LEEWAY: 5s
    volumes:
      - pg_data:/backup/pg_data:ro
      - /var/run/docker.sock:/var/run/docker.sock
    secrets:
      - minio_root_user
      - minio_root_password
  offen:
    image: offen/offen:latest
    labels:
      - docker-volume-backup.stop-during-backup=true
    healthcheck:
      disable: true
    deploy:
      replicas: 2
      restart_policy:
        condition: on-failure
  pg:
    image: postgres:14-alpine
    environment:
      POSTGRES_PASSWORD: example
    labels:
      - docker-volume-backup.stop-during-backup=true
    volumes:
      - pg_data:/var/lib/postgresql/data
    deploy:
      restart_policy:
        condition: on-failure
 volumes:
  backup_data:
    name: backup_data
  pg_data:
    name: pg_data
 secrets:
  minio_root_user:
    external: true
  minio_root_password:
    external: true
--- a/test/secrets/run.sh
+++ b/test/secrets/run.sh
@@ -0,0 +1,44 @@
 #!/bin/sh
 set -e
 cd $(dirname $0)
 . ../util.sh
 current_test=$(basename $(pwd))
 docker swarm init
 printf "test" | docker secret create minio_root_user -
 printf "GMusLtUmILge2by+z890kQ" | docker secret create minio_root_password -
 docker stack deploy --compose-file=docker-compose.yml test_stack
 while [ -z $(docker ps -q -f name=backup) ]; do
  info "Backup container not ready yet. Retrying."
  sleep 1
 done
 sleep 20
 docker exec $(docker ps -q -f name=backup) backup
 docker run --rm -it \
  -v backup_data:/data alpine \
  ash -c 'tar -xf /data/backup/test.tar.gz && test -f /backup/pg_data/PG_VERSION'
 pass "Found relevant files in untared backup."
 sleep 5
 expect_running_containers "5"
 docker stack rm test_stack
 docker secret rm minio_root_password
 docker secret rm minio_root_user
 docker swarm leave --force
 sleep 10
 docker volume rm backup_data
 docker volume rm pg_data
--- a/test/swarm/docker-compose.yml
+++ b/test/swarm/docker-compose.yml
@@ -66,3 +66,4 @@ volumes:
  backup_data:
    name: backup_data
  pg_data:
    name: pg_data
--- a/test/swarm/run.sh
+++ b/test/swarm/run.sh
@@ -30,3 +30,8 @@ expect_running_containers "5"
 docker stack rm test_stack
 docker swarm leave --force
 sleep 10
 docker volume rm backup_data
 docker volume rm pg_data
Author	SHA1	Message	Date
Frederik Ring	9534cde7d9	Allow use of a custom ca cert when working against S3 storages (#170 )	2022-12-22 14:37:51 +01:00
XF	08bafdb054	Update MinIO Go SDK to v7.0.44 (#167 ) Adds support for the eu-south-2, eu-central-2, me-central-1, ap-southeast-3 AWS endpoints	2022-11-21 20:30:13 +01:00
Frederik Ring	907deecdd0	Call ListObjects without WithMetadata option (#165 )	2022-10-23 21:56:44 +02:00
Frederik Ring	92b888e72c	Remove debugging remnant from test	2022-10-17 20:41:10 +02:00
Frederik Ring	3925ac1ee0	Special characters in password do not break GPG test case	2022-10-17 19:42:38 +02:00
Frederik Ring	5c7856feb3	Consider failed casting to error response, use established minio bootstrap in tests	2022-10-13 19:40:41 +02:00
Frederik Ring	dec7d7e2c0	Lock version of Docker Credential Helper in CI	2022-10-12 20:23:40 +02:00
pixxon	b5cc1262e2	add aws secret handling (#161 ) * add aws secret handling * make it look go-ish * fix tests * whitespace * sleep a bit	2022-10-12 19:14:57 +02:00
Frederik Ring	00c83dfac7	Fix more error strings	2022-09-15 10:49:45 +02:00
Frederik Ring	eb9a198327	Ensure consistency in error messages	2022-09-15 10:04:12 +02:00
Frederik Ring	97e975a535	Add FUNDING.yml	2022-09-02 09:39:55 +02:00
Frederik Ring	749a7a15a6	Build using Go 1.19 (#153 )	2022-09-01 15:12:48 +02:00
Frederik Ring	a6ec128cab	Run copying and pruning against multiple storages in parallel (#152 )	2022-09-01 14:38:04 +02:00
Frederik Ring	695a94d479	Add template for support request issue	2022-09-01 14:30:42 +02:00
Frederik Ring	2316111892	Fix key location in container in SSH example	2022-08-29 17:10:07 +02:00
Frederik Ring	b60c747448	Fix WebDAV spelling, remove some inconsistencies (#143 ) * Simplify logging, fix WebDAV spelling * Define options types per package * Move util functions that are not used cross package * Add per file license headers * Rename config type	2022-08-18 12:37:45 +02:00
MaxJa4	279844ccfb	Added abstract helper interface for all storage backends (#135 ) * Added abstract helper interface and implemented it for all storage backends * Moved storage client initializations also to helper classes * Fixed ssh init issue * Moved script parameter to helper struct to simplify script init. * Created sub modules. Enhanced abstract implementation. * Fixed config issue * Fixed declaration issues. Added config to interface. * Added StorageProviders to unify all backends. * Cleanup, optimizations, comments. * Applied discussed changes. See description. Moved modules to internal packages. Replaced StoragePool with slice. Moved conditional for init of storage backends back to script. * Fix docker build issue * Fixed accidentally removed local copy condition. * Delete .gitignore * Renaming/changes according to review Renamed Init functions and interface. Replaced config object with specific config values. Init func returns interface instead of struct. Removed custom import names where possible. * Fixed auto-complete error. * Combined copy instructions into one layer. * Added logging func for storages. * Introduced logging func for errors too. * Missed an error message * Moved config back to main. Optimized prune stats handling. * Move stats back to main package * Code doc stuff * Apply changes from #136 * Replace name field with function. * Changed receiver names from stg to b. * Renamed LogFuncDef to Log * Removed redundant package name. * Renamed storagePool to storages. * Simplified creation of new storage backend. * Added initialization for storage stats map. * Invert .dockerignore patterns. * Fix package typo	2022-08-18 12:37:45 +02:00
Frederik Ring	4ec88d14dd	Update issue templates (#145 )	2022-08-18 10:59:34 +02:00
Frederik Ring	599b7f3f74	Use crontab command to recreate empty tab file (#141 )	2022-08-15 15:00:58 +02:00
Frederik Ring	b2d4c48082	Update base image to alpine:3.16 (#124 )	2022-08-15 09:25:47 +02:00
MaxJa4	2b7f0c52c0	Print more error info for minio (#136 ) * Print more error info for minio * Unpacked error info	2022-08-15 09:25:32 +02:00
Frederik Ring	cc912d7b64	Delete existing crontab before appending entries per conf.d (#140 )	2022-08-15 09:25:19 +02:00
Frederik Ring	26c8ba971f	Add test case for exec label (#132 )	2022-07-15 09:34:01 +02:00
Alexander Zimmermann	3f10d0f817	Update README.md (#130 ) Replace deprecated exec-pre label	2022-07-14 13:47:54 +02:00
Frederik Ring	b441cf3e2b	Fine grained labels (#115 ) * Refactor label command mechanism to be more flexible * Run all steps wrapped in labeled commands * Rename methods to be in line with lifecycle * Deprecate exec-pre and exec-post labels * Add documentation * Use type alias for lifecycle phases * Fix bad imports * Fix command lookup for deprecated labels * Use more generic naming for lifecycle phase * Fail on erroneous post command * Update documentation	2022-07-10 10:36:56 +02:00
Frederik Ring	82f66565da	Add further docs on backup selection when using conf.d	2022-07-08 14:05:45 +02:00
Frederik Ring	d68814be9d	Add section about shoutrrr CLI tool to README	2022-07-07 22:22:21 +02:00