Periodically collect runtime info when requested

Docker client expects to be closed after usage in long running program
Hoist control for exiting script a level up (#348 )
2025-12-05 17:18:02 +01:00 · 2024-02-12 16:04:12 +01:00 · 2024-02-12 16:04:12 +01:00 · 2024-02-12 16:04:12 +01:00 · 2024-02-12 16:04:12 +01:00 · 2024-02-12 16:04:12 +01:00
132 changed files with 21352 additions and 1944 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,70 +0,0 @@
 version: 2.1
 jobs:
  canary:
    machine:
      image: ubuntu-1604:202007-01
    working_directory: ~/docker-volume-backup
    steps:
      - checkout
      - run:
          name: Build
          command: |
            docker build . -t offen/docker-volume-backup:canary
      - run:
          name: Install gnupg
          command: |
            sudo apt-get install -y gnupg
      - run:
          name: Run tests
          working_directory: ~/docker-volume-backup/test
          command: |
            ./test.sh canary
  build:
    docker:
      - image: cimg/base:2020.06
        environment:
          DOCKER_BUILDKIT: '1'
          DOCKER_CLI_EXPERIMENTAL: enabled
    working_directory: ~/docker-volume-backup
    steps:
      - checkout
      - setup_remote_docker:
          version: 20.10.6
      - docker/install-docker-credential-helper
      - docker/configure-docker-credentials-store
      - run:
          name: Push to Docker Hub
          command: |
            echo "$DOCKER_ACCESSTOKEN" | docker login --username offen --password-stdin
            # This is required for building ARM: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12406
            docker run --rm --privileged linuxkit/binfmt:v0.8
            docker context create docker-volume-backup
            docker buildx create docker-volume-backup --name docker-volume-backup --use
            docker buildx inspect --bootstrap
            tag_args="-t offen/docker-volume-backup:$CIRCLE_TAG"
            if [[ "$CIRCLE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
              # prerelease tags like `v2.0.0-alpha.1` should not be released as `latest`
              tag_args="$tag_args -t offen/docker-volume-backup:latest"
            fi
            docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 \
               $tag_args . --push
 workflows:
  version: 2
  docker_image:
    jobs:
      - canary:
          filters:
            tags:
              ignore: /^v.*/
      - build:
          filters:
            branches:
              ignore: /.*/
            tags:
              only: /^v.*/
 orbs:
  docker: circleci/docker@1.0.1
--- a/.dockerignore
+++ b/.dockerignore
@@ -1 +1,7 @@
 test
 .github
 .circleci
 docs
 .editorconfig
 LICENSE
 README.md
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,3 @@
 github: offen
 patreon: offen
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,34 @@
 ---
 name: Bug report
 about: Create a report to help us improve
 title: ''
 labels: ''
 assignees: ''
 ---
 **Describe the bug**
 <!--
 A clear and concise description of what the bug is.
 -->
 **To Reproduce**
 Steps to reproduce the behavior:
 1. ...
 2. ...
 3. ...
 **Expected behavior**
 <!--
 A clear and concise description of what you expected to happen.
 -->
 **Version (please complete the following information):**
 - Image Version: <!-- e.g. v2.21.0 -->
 - Docker Version: <!-- e.g. 20.10.17 -->
 - Docker Compose Version (if applicable): <!-- e.g. 1.29.2 -->
 **Additional context**
 <!--
 Add any other context about the problem here.
 -->
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,28 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
 title: ''
 labels: ''
 assignees: ''
 ---
 **Is your feature request related to a problem? Please describe.**
 <!--
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 -->
 **Describe the solution you'd like**
 <!--
 A clear and concise description of what you want to happen.
 -->
 **Describe alternatives you've considered**
 <!--
 A clear and concise description of any alternative solutions or features you've considered.
 -->
 **Additional context**
 <!--
 Add any other context or screenshots about the feature request here.
 -->
--- a/.github/ISSUE_TEMPLATE/support_request.md
+++ b/.github/ISSUE_TEMPLATE/support_request.md
@@ -0,0 +1,28 @@
 ---
 name: Support request
 about: Ask for help
 title: ''
 labels: ''
 assignees: ''
 ---
 **What are you trying to do?**
 <!--
 A clear and concise description of what you are trying to do, but cannot get working.
 -->
 **What is your current configuration?**
 <!--
 Add the full configuration you are using. Please redact out any real-world credentials.
 -->
 **Log output**
 <!--
 Provide the full log output of your setup.
 -->
 **Additional context**
 <!--
 Add any other context or screenshots about the support request here.
 -->
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
 version: 2
 updates:
  - package-ecosystem: docker
    directory: /
    schedule:
      interval: weekly
  - package-ecosystem: gomod
    directory: /
    schedule:
      interval: weekly
--- a/.github/workflows/deploy-docs.yml
+++ b/.github/workflows/deploy-docs.yml
@@ -0,0 +1,52 @@
 name: Deploy Documenation site to GitHub Pages
 on:
  push:
    branches: ['main']
  workflow_dispatch:
 permissions:
  contents: read
  pages: write
  id-token: write
 concurrency:
  group: 'pages'
  cancel-in-progress: true
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: '3.2'
          bundler-cache: true
          cache-version: 0
          working-directory: docs
      - name: Setup Pages
        id: pages
        uses: actions/configure-pages@v2
      - name: Build with Jekyll
        working-directory: docs
        run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}"
        env:
          JEKYLL_ENV: production
      - name: Upload artifact
        uses: actions/upload-pages-artifact@v1
        with:
          path: 'docs/_site/'
  deploy:
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}
    runs-on: ubuntu-latest
    needs: build
    steps:
      - name: Deploy to GitHub Pages
        id: deployment
        uses: actions/deploy-pages@v1
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -0,0 +1,54 @@
 name: Run Linters
 on:
  push:
    branches:
      - main
  pull_request:
 permissions:
  contents: read
  # Optional: allow read access to pull request. Use with `only-new-issues` option.
  pull-requests: read
 jobs:
  golangci:
    name: lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: '1.21'
          cache: false
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
        with:
          # Require: The version of golangci-lint to use.
          # When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version.
          # When `install-mode` is `goinstall` the value can be v1.2.3, `latest`, or the hash of a commit.
          version: v1.54
          # Optional: working directory, useful for monorepos
          # working-directory: somedir
          # Optional: golangci-lint command line arguments.
          #
          # Note: By default, the `.golangci.yml` file should be at the root of the repository.
          # The location of the configuration file can be changed by using `--config=`
          # args: --timeout=30m --config=/my/path/.golangci.yml --issues-exit-code=0
          # Optional: show only new issues if it's a pull request. The default value is `false`.
          # only-new-issues: true
          # Optional: if set to true, then all caching functionality will be completely disabled,
          #           takes precedence over all other caching options.
          # skip-cache: true
          # Optional: if set to true, then the action won't cache or restore ~/go/pkg.
          # skip-pkg-cache: true
          # Optional: if set to true, then the action won't cache or restore ~/.cache/go-build.
          # skip-build-cache: true
          # Optional: The mode to install golangci-lint. It can be 'binary' or 'goinstall'.
          # install-mode: "goinstall"
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,59 @@
 name: Release Docker Image
 on:
  push:
    tags: v**
 jobs:
  push_to_registries:
    name: Push Docker image to multiple registries
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
    steps:
      - name: Check out the repo
        uses: actions/checkout@v4
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Log in to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Log in to GHCR
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Extract Docker tags
        id: meta
        run: |
          version_tag="${{github.ref_name}}"
          tags=($version_tag)
          if [[ "$version_tag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            # prerelease tags like `v2.0.0-alpha.1` should not be released as `latest` nor `v2`
            tags+=("latest")
            tags+=($(echo "$version_tag" | cut -d. -f1))
          fi
          releases=""
          for tag in "${tags[@]}"; do
            releases="${releases:+$releases,}offen/docker-volume-backup:$tag,ghcr.io/offen/docker-volume-backup:$tag"
          done
          echo "releases=$releases" >> "$GITHUB_OUTPUT"
      - name: Build and push Docker images
        uses: docker/build-push-action@v4
        with:
          context: .
          push: true
          platforms: linux/amd64,linux/arm64,linux/arm/v7
          tags: ${{ steps.meta.outputs.releases }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -0,0 +1,21 @@
 name: Run Integration Tests
 on:
  push:
    branches:
      - main
  pull_request:
 jobs:
  test:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Run Tests
        working-directory: ./test
        run: |
          BUILD_IMAGE=1 ./test.sh
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,8 @@
 linters:
  # Enable specific linter
  # https://golangci-lint.run/usage/linters/#enabled-by-default
  enable:
    - staticcheck
    - govet
 output:
  format: github-actions
--- a/20
+++ b/20
@@ -1,22 +1,20 @@
 # Copyright 2021 - Offen Authors <hioffen@posteo.de>
 # SPDX-License-Identifier: MPL-2.0
-FROM golang:1.17-alpine as builder
+FROM golang:1.21-alpine as builder
 WORKDIR /app
-COPY go.mod go.sum ./
+COPY . .
-COPY cmd/backup/main.go ./cmd/backup/main.go
+RUN go mod download
-RUN go build -o backup cmd/backup/main.go
+WORKDIR /app/cmd/backup
 RUN go build -o backup .
-FROM alpine:3.14
+FROM alpine:3.19
 WORKDIR /root
-RUN apk add --update ca-certificates
+RUN apk add --no-cache ca-certificates
-COPY --from=builder /app/backup /usr/bin/backup
+COPY --from=builder /app/cmd/backup/backup /usr/bin/backup
-COPY ./entrypoint.sh /root/
+ENTRYPOINT ["/usr/bin/backup", "-foreground"]
 RUN chmod +x entrypoint.sh
 ENTRYPOINT ["/root/entrypoint.sh"]
--- a/README.md
+++ b/README.md
@@ -1,44 +1,22 @@
 <a href="https://www.offen.dev/">
    <img src="https://offen.github.io/press-kit/offen-material/gfx-GitHub-Offen-logo.svg" alt="Offen logo" title="Offen" width="150px"/>
 </a>
 # docker-volume-backup
-Backup Docker volumes locally or to any S3 compatible storage.
+Backup Docker volumes locally or to any S3, WebDAV, Azure Blob Storage, Dropbox or SSH compatible storage.
-The [offen/docker-volume-backup](https://hub.docker.com/r/offen/docker-volume-backup) Docker image can be used as a lightweight (below 15MB) sidecar container to an existing Docker setup.
+The [offen/docker-volume-backup](https://hub.docker.com/r/offen/docker-volume-backup) Docker image can be used as a lightweight (below 15MB) companion container to an existing Docker setup.
-It handles __recurring or one-off backups of Docker volumes__ to a __local directory__ or __any S3 compatible storage__ (or both), and __rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for failed backup runs__.
+It handles __recurring or one-off backups of Docker volumes__ to a __local directory__, __any S3, WebDAV, Azure Blob Storage, Dropbox or SSH compatible storage (or any combination thereof) and rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for (failed) backup runs__.
-<!-- MarkdownTOC -->
+Documentation is found at <https://offen.github.io/docker-volume-backup>
-
+  - [Quickstart](https://offen.github.io/docker-volume-backup)
- [Quickstart](#quickstart)
+  - [Configuration Reference](https://offen.github.io/docker-volume-backup/reference/)
-  - [Recurring backups in a compose setup](#recurring-backups-in-a-compose-setup)
+  - [How Tos](https://offen.github.io/docker-volume-backup/how-tos/)
-  - [One-off backups using Docker CLI](#one-off-backups-using-docker-cli)
+  - [Recipes](https://offen.github.io/docker-volume-backup/recipes/)
 - [Configuration reference](#configuration-reference)
 - [How to](#how-to)
  - [Stopping containers during backup](#stopping-containers-during-backup)
  - [Automatically pruning old backups](#automatically-pruning-old-backups)
  - [Send email notifications on failed backup runs](#send-email-notifications-on-failed-backup-runs)
  - [Encrypting your backup using GPG](#encrypting-your-backup-using-gpg)
  - [Restoring a volume from a backup](#restoring-a-volume-from-a-backup)
  - [Set the timezone the container runs in](#set-the-timezone-the-container-runs-in)
  - [Using with Docker Swarm](#using-with-docker-swarm)
  - [Manually triggering a backup](#manually-triggering-a-backup)
 - [Recipes](#recipes)
  - [Backing up to AWS S3](#backing-up-to-aws-s3)
  - [Backing up to MinIO](#backing-up-to-minio)
  - [Backing up locally](#backing-up-locally)
  - [Backing up to AWS S3 as well as locally](#backing-up-to-aws-s3-as-well-as-locally)
  - [Running on a custom cron schedule](#running-on-a-custom-cron-schedule)
  - [Rotating away backups that are older than 7 days](#rotating-away-backups-that-are-older-than-7-days)
  - [Encrypting your backups using GPG](#encrypting-your-backups-using-gpg)
  - [Running multiple instances in the same setup](#running-multiple-instances-in-the-same-setup)
 - [Differences to `futurice/docker-volume-backup`](#differences-to-futuricedocker-volume-backup)
 <!-- /MarkdownTOC -->
 ---
 Code and documentation for `v1` versions are found on [this branch][v1-branch].
 [v1-branch]: https://github.com/offen/docker-volume-backup/tree/v1
 ## Quickstart
 ### Recurring backups in a compose setup
@@ -72,7 +50,8 @@ services:
      - data:/backup/my-app-backup:ro
      # Mounting the Docker socket allows the script to stop and restart
      # the container during backup. You can omit this if you don't want
-      # to stop the container
+      # to stop the container. In case you need to proxy the socket, you can
      # also provide a location by setting `DOCKER_HOST` in the container
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # If you mount a local directory or volume to `/archive` a local
      # copy of the backup will be stored there. You can override the
@@ -94,527 +73,7 @@ docker run --rm \
  --env AWS_SECRET_ACCESS_KEY="<xxx>" \
  --env AWS_S3_BUCKET_NAME="<xxx>" \
  --entrypoint backup \
-  offen/docker-volume-backup:latest
+  offen/docker-volume-backup:v2
 ```
 Alternatively, pass a `--env-file` in order to use a full config as described below.
 ## Configuration reference
 Backup targets, schedule and retention are configured in environment variables.
 You can populate below template according to your requirements and use it as your `env_file`:
 ```ini
 ########### BACKUP SCHEDULE
 # Backups run on the given cron schedule in `busybox` flavor. If no
 # value is set, `@daily` will be used. If you do not want the cron
 # to ever run, use `0 0 5 31 2 ?`.
 # BACKUP_CRON_EXPRESSION="0 2 * * *"
 # The name of the backup file including the `.tar.gz` extension.
 # Format verbs will be replaced as in `strftime`. Omitting them
 # will result in the same filename for every backup run, which means previous
 # versions will be overwritten on subsequent runs. The default results
 # in filenames like `backup-2021-08-29T04-00-00.tar.gz`.
 # BACKUP_FILENAME="backup-%Y-%m-%dT%H-%M-%S.tar.gz"
 # When storing local backups, a symlink to the latest backup can be created
 # in case a value is given for this key. This has no effect on remote backups.
 # BACKUP_LATEST_SYMLINK="backup.latest.tar.gz"
 ########### BACKUP STORAGE
 # The name of the remote bucket that should be used for storing backups. If
 # this is not set, no remote backups will be stored.
 # AWS_S3_BUCKET_NAME="backup-bucket"
 # Define credentials for authenticating against the backup storage and a bucket
 # name. Although all of these keys are `AWS`-prefixed, the setup can be used
 # with any S3 compatible storage.
 # AWS_ACCESS_KEY_ID="<xxx>"
 # AWS_SECRET_ACCESS_KEY="<xxx>"
 # Instead of providing static credentials, you can also use IAM instance profiles
 # or similar to provide authentication. Some possible configuration options on AWS:
 # - EC2: http://169.254.169.254
 # - ECS: http://169.254.170.2
 # AWS_IAM_ROLE_ENDPOINT="http://169.254.169.254"
 # This is the FQDN of your storage server, e.g. `storage.example.com`.
 # Do not set this when working against AWS S3 (the default value is 
 # `s3.amazonaws.com`). If you need to set a specific (non-https) protocol, you
 # will need to use the option below.
 # AWS_ENDPOINT="storage.example.com"
 # The protocol to be used when communicating with your storage server.
 # Defaults to "https". You can set this to "http" when communicating with
 # a different Docker container on the same host for example.
 # AWS_ENDPOINT_PROTO="https"
 # Setting this variable to `true` will disable verification of
 # SSL certificates. You shouldn't use this unless you use self-signed
 # certificates for your remote storage backend. This can only be used
 # when AWS_ENDPOINT_PROTO is set to `https`.
 # AWS_ENDPOINT_INSECURE="true"
 # In addition to storing backups remotely, you can also keep local copies.
 # Pass a container-local path to store your backups if needed. You also need to
 # mount a local folder or Docker volume into that location (`/archive`
 # by default) when running the container. In case the specified directory does
 # not exist (nothing is mounted) in the container when the backup is running,
 # local backups will be skipped. Local paths are also be subject to pruning of
 # old backups as defined below.
 # BACKUP_ARCHIVE="/archive"
 ########### BACKUP PRUNING
 # **IMPORTANT, PLEASE READ THIS BEFORE USING THIS FEATURE**:
 # The mechanism used for pruning old backups is not very sophisticated
 # and applies its rules to **all files in the target directory** by default,
 # which means that if you are storing your backups next to other files,
 # these might become subject to deletion too. When using this option
 # make sure the backup files are stored in a directory used exclusively
 # for such files, or to configure BACKUP_PRUNING_PREFIX to limit
 # removal to certain files.
 # Define this value to enable automatic rotation of old backups. The value
 # declares the number of days for which a backup is kept.
 # BACKUP_RETENTION_DAYS="7"
 # In case the duration a backup takes fluctuates noticeably in your setup
 # you can adjust this setting to make sure there are no race conditions
 # between the backup finishing and the rotation not deleting backups that
 # sit on the edge of the time window. Set this value to a duration
 # that is expected to be bigger than the maximum difference of backups.
 # Valid values have a suffix of (s)econds, (m)inutes or (h)ours. By default,
 # one minute is used.
 # BACKUP_PRUNING_LEEWAY="1m"
 # In case your target bucket or directory contains other files than the ones
 # managed by this container, you can limit the scope of rotation by setting
 # a prefix value. This would usually be the non-parametrized part of your
 # BACKUP_FILENAME. E.g. if BACKUP_FILENAME is `db-backup-%Y-%m-%dT%H-%M-%S.tar.gz`,
 # you can set BACKUP_PRUNING_PREFIX to `db-backup-` and make sure
 # unrelated files are not affected by the rotation mechanism.
 # BACKUP_PRUNING_PREFIX="backup-"
 ########### BACKUP ENCRYPTION
 # Backups can be encrypted using gpg in case a passphrase is given.
 # GPG_PASSPHRASE="<xxx>"
 ########### STOPPING CONTAINERS DURING BACKUP
 # Containers can be stopped by applying a
 # `docker-volume-backup.stop-during-backup` label. By default, all containers
 # that are labeled with `true` will be stopped. If you need more fine grained
 # control (e.g. when running multiple containers based on this image), you can
 # override this default by specifying a different value here.
 # BACKUP_STOP_CONTAINER_LABEL="service1"
 ########### EMAIL NOTIFICATIONS ON FAILED BACKUP RUNS
 # In case SMTP credentials are provided, notification emails can be sent out on
 # failed backup runs. These emails will contain the start time, the error
 # message and all log output prior to the failure.
 # The recipient(s) of the notification. Supply a comma separated list
 # of adresses if you want to notify multiple recipients. If this is
 # not set, no emails will be sent.
 # EMAIL_NOTIFICATION_RECIPIENT="you@example.com"
 # The "From" header of the sent email. Defaults to `noreply@nohost`.
 # EMAIL_NOTIFICATION_SENDER="no-reply@example.com"
 # Configuration and credentials for the SMTP server to be used.
 # EMAIL_SMTP_PORT defaults to 587.
 # EMAIL_SMTP_HOST="posteo.de"
 # EMAIL_SMTP_PASSWORD="<xxx>"
 # EMAIL_SMTP_USERNAME="no-reply@example.com"
 # EMAIL_SMTP_PORT="<port>"
 ```
 ## How to
 ### Stopping containers during backup
 In many cases, it will be desirable to stop the services that are consuming the volume you want to backup in order to ensure data integrity.
 This image can automatically stop and restart containers and services (in case you are running Docker in Swarm mode).
 By default, any container that is labeled `docker-volume-backup.stop-during-backup=true` will be stopped before the backup is being taken and restarted once it has finished.
 In case you need more fine grained control about which containers should be stopped (e.g. when backing up multiple volumes on different schedules), you can set the `BACKUP_STOP_CONTAINER_LABEL` environment variable and then use the same value for labeling:
 ```yml
 version: '3'
 services:
  app:
    # definition for app ...
    labels:
      - docker-volume-backup.stop-during-backup=service1
  backup:
    image: offen/docker-volume-backup:latest
    environment:
      BACKUP_STOP_CONTAINER_LABEL: service1
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ### Automatically pruning old backups
 When `BACKUP_RETENTION_DAYS` is configured, the image will check if there are any backups in the remote bucket or local archive that are older than the given retention value and rotate these backups away.
 Be aware that this mechanism looks at __all files in the target bucket or archive__, which means that other files that are older than the given deadline are deleted as well. In case you need to use a target that cannot be used exclusively for your backups, you can configure `BACKUP_PRUNING_PREFIX` to limit which files are considered eligible for deletion:
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:latest
    environment:
      BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
      BACKUP_PRUNING_PREFIX: backup-
      BACKUP_RETENTION_DAYS: 7
    volumes:
      - ${HOME}/backups:/archive
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ### Send email notifications on failed backup runs
 To send out email notifications on failed backup runs, provide SMTP credentials, a sender and a recipient:
 ```yml
 version: '3'
 services:
  backup:
    image: offen/docker-volume-backup:latest
    environment:
      # ... other configuration values go here
      EMAIL_SMTP_HOST: "smtp.example.com"
      EMAIL_SMTP_PASSWORD: "password"
      EMAIL_SMTP_USERNAME: "username"
      EMAIL_NOTIFICATION_SENDER: "noreply@example.com"
      EMAIL_NOTIFICATION_RECIPIENT: "notifications@example.com"
 ```
 ### Encrypting your backup using GPG
 The image supports encrypting backups using GPG out of the box.
 In case a `GPG_PASSPHRASE` environment variable is set, the backup will be encrypted using the given key and saved as a `.gpg` file instead.
 Assuming you have `gpg` installed, you can decrypt such a backup using (your OS will prompt for the passphrase before decryption can happen):
 ```console
 gpg -o backup.tar.gz -d backup.tar.gz.gpg
 ```
 ### Restoring a volume from a backup
 In case you need to restore a volume from a backup, the most straight forward procedure to do so would be:
 - Stop the container(s) that are using the volume
 - Untar the backup you want to restore
  ```console
  tar -C /tmp -xvf  backup.tar.gz
  ```
 - Using a temporary one-off container, mount the volume (the example assumes it's named `data`) and copy over the backup. Make sure you copy the correct path level (this depends on how you mount your volume into the backup container), you might need to strip some leading elements
  ```console
  docker run -d --name backup_restore -v data:/backup_restore alpine
  docker cp /tmp/backup/data-backup backup_restore:/backup_restore
  docker stop backup_restore
  docker rm backup_restore
  ```
 - Restart the container(s) that are using the volume 
 Depending on your setup and the application(s) you are running, this might involve other steps to be taken still.
 ### Set the timezone the container runs in
 By default a container based on this image will run in the UTC timezone.
 As the image is designed to be as small as possible, additional timezone data is not included.
 In case you want to run your cron rules in your local timezone (respecting DST and similar), you can mount your Docker host's `/etc/timezone` and `/etc/localtime` in read-only mode:
 ```yml
 version: '3'
 services:
  backup:
    image: offen/docker-volume-backup:latest
    volumes:
      - data:/backup/my-app-backup:ro
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
 volumes:
  data:
 ```
 ### Using with Docker Swarm
 By default, Docker Swarm will restart stopped containers automatically, even when manually stopped.
 If you plan to have your containers / services stopped during backup, this means you need to apply the `on-failure` restart policy to your service's definitions.
 A restart policy of `always` is not compatible with this tool.
 ---
 When running in Swarm mode, it's also advised to set a hard memory limit on your service (~25MB should be enough in most cases, but if you backup large files above half a gigabyte or similar, you might have to raise this in case the backup exits with `Killed`):
 ```yml
 services:
  backup:
    image: offen/docker-volume-backup:latest
    deployment:
      resources:
        limits:
          memory: 25M
 ```
 ### Manually triggering a backup
 You can manually trigger a backup run outside of the defined cron schedule by executing the `backup` command inside the container:
 ```
 docker exec <container_ref> backup
 ```
 ## Recipes
 This section lists configuration for some real-world use cases that you can mix and match according to your needs.
 ### Backing up to AWS S3
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:latest
    environment:
      AWS_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ### Backing up to MinIO
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:latest
    environment:
      AWS_ENDPOINT: minio.example.com
      AWS_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: MINIOACCESSKEY
      AWS_SECRET_ACCESS_KEY: MINIOSECRETKEY
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ### Backing up locally
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:latest
    environment:
      BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
      BACKUP_LATEST_SYMLINK: backup-latest.tar.gz
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${HOME}/backups:/archive
 volumes:
  data:
 ```
 ### Backing up to AWS S3 as well as locally
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:latest
    environment:
      AWS_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${HOME}/backups:/archive
 volumes:
  data:
 ```
 ### Running on a custom cron schedule
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:latest
    environment:
      # take a backup on every hour
      BACKUP_CRON_EXPRESSION: "0 * * * *"
      AWS_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ### Rotating away backups that are older than 7 days
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:latest
    environment:
      AWS_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
      BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
      BACKUP_PRUNING_PREFIX: backup-
      BACKUP_RETENTION_DAYS: 7
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ### Encrypting your backups using GPG
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:latest
    environment:
      AWS_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
      GPG_PASSPHRASE: somesecretstring
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ### Running multiple instances in the same setup
 ```yml
 version: '3'
 services:
  # ... define other services using the `data_1` and `data_2` volumes here
  backup_1: &backup_service
    image: offen/docker-volume-backup:latest
    environment: &backup_environment
      BACKUP_CRON_EXPRESSION: "0 2 * * *"
      AWS_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
      # Label the container using the `data_1` volume as `docker-volume-backup.stop-during-backup=service1`
      BACKUP_STOP_CONTAINER_LABEL: service1
    volumes:
      - data_1:/backup/data-1-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
  backup_2:
    <<: *backup_service
    environment:
      <<: *backup_environment
      # Label the container using the `data_2` volume as `docker-volume-backup.stop-during-backup=service2`
      BACKUP_CRON_EXPRESSION: "0 3 * * *"
      BACKUP_STOP_CONTAINER_LABEL: service2
    volumes:
      - data_2:/backup/data-2-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data_1:
  data_2:
 ```
 ## Differences to `futurice/docker-volume-backup`
 This image is heavily inspired by `futurice/docker-volume-backup`. We decided to publish this image as a simpler and more lightweight alternative because of the following requirements:
 - The original image is based on `ubuntu` and requires additional tools, making it heavy.
 This version is roughly 1/25 in compressed size (it's ~12MB).
 - The original image uses a shell script, when this version is written in Go, which makes it easier to extend and maintain (more verbose too).
 - The original image proposed to handle backup rotation through AWS S3 lifecycle policies.
 This image adds the option to rotate away old backups through the same command so this functionality can also be offered for non-AWS storage backends like MinIO.
 Local copies of backups can also be pruned once they reach a certain age.
 - InfluxDB specific functionality from the original image was removed.
 - `arm64` and `arm/v7` architectures are supported.
 - Docker in Swarm mode is supported.
 - Notifications on failed backups are supported
 - IAM authentication through instance profiles is supported
--- a/cmd/backup/archive.go
+++ b/cmd/backup/archive.go
@@ -0,0 +1,168 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 // Portions of this file are taken from package `targz`, Copyright (c) 2014 Fredrik Wallgren
 // Licensed under the MIT License: https://github.com/walle/targz/blob/57fe4206da5abf7dd3901b4af3891ec2f08c7b08/LICENSE
 package main
 import (
 	"archive/tar"
 	"fmt"
 	"io"
 	"os"
 	"path"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"github.com/klauspost/pgzip"
 	"github.com/klauspost/compress/zstd"
 )
 func createArchive(files []string, inputFilePath, outputFilePath string, compression string, compressionConcurrency int) error {
 	inputFilePath = stripTrailingSlashes(inputFilePath)
 	inputFilePath, outputFilePath, err := makeAbsolute(inputFilePath, outputFilePath)
 	if err != nil {
 		return fmt.Errorf("createArchive: error transposing given file paths: %w", err)
 	}
 	if err := os.MkdirAll(filepath.Dir(outputFilePath), 0755); err != nil {
 		return fmt.Errorf("createArchive: error creating output file path: %w", err)
 	}
 	if err := compress(files, outputFilePath, filepath.Dir(inputFilePath), compression, compressionConcurrency); err != nil {
 		return fmt.Errorf("createArchive: error creating archive: %w", err)
 	}
 	return nil
 }
 func stripTrailingSlashes(path string) string {
 	if len(path) > 0 && path[len(path)-1] == '/' {
 		path = path[0 : len(path)-1]
 	}
 	return path
 }
 func makeAbsolute(inputFilePath, outputFilePath string) (string, string, error) {
 	inputFilePath, err := filepath.Abs(inputFilePath)
 	if err == nil {
 		outputFilePath, err = filepath.Abs(outputFilePath)
 	}
 	return inputFilePath, outputFilePath, err
 }
 func compress(paths []string, outFilePath, subPath string, algo string, concurrency int) error {
 	file, err := os.Create(outFilePath)
 	if err != nil {
 		return fmt.Errorf("compress: error creating out file: %w", err)
 	}
 	prefix := path.Dir(outFilePath)
 	compressWriter, err := getCompressionWriter(file, algo, concurrency)
 	if err != nil {
 		return fmt.Errorf("compress: error getting compression writer: %w", err)
 	}
 	tarWriter := tar.NewWriter(compressWriter)
 	for _, p := range paths {
 		if err := writeTarball(p, tarWriter, prefix); err != nil {
 			return fmt.Errorf("compress: error writing %s to archive: %w", p, err)
 		}
 	}
 	err = tarWriter.Close()
 	if err != nil {
 		return fmt.Errorf("compress: error closing tar writer: %w", err)
 	}
 	err = compressWriter.Close()
 	if err != nil {
 		return fmt.Errorf("compress: error closing compression writer: %w", err)
 	}
 	err = file.Close()
 	if err != nil {
 		return fmt.Errorf("compress: error closing file: %w", err)
 	}
 	return nil
 }
 func getCompressionWriter(file *os.File, algo string, concurrency int) (io.WriteCloser, error) {
 	switch algo {
 	case "gz":
 		w, err := pgzip.NewWriterLevel(file, 5)
 		if err != nil {
 			return nil, fmt.Errorf("getCompressionWriter: gzip error: %w", err)
 		}
 		if concurrency == 0 {
 			concurrency = runtime.GOMAXPROCS(0)
 		}
 		if err := w.SetConcurrency(1<<20, concurrency); err != nil {
 			return nil, fmt.Errorf("getCompressionWriter: error setting concurrency: %w", err)
 		}
 		return w, nil
 	case "zst":
 		compressWriter, err := zstd.NewWriter(file)
 		if err != nil {
 			return nil, fmt.Errorf("getCompressionWriter: zstd error: %w", err)
 		}
 		return compressWriter, nil
 	default:
 		return nil, fmt.Errorf("getCompressionWriter: unsupported compression algorithm: %s", algo)
 	}
 }
 func writeTarball(path string, tarWriter *tar.Writer, prefix string) error {
 	fileInfo, err := os.Lstat(path)
 	if err != nil {
 		return fmt.Errorf("writeTarball: error getting file infor for %s: %w", path, err)
 	}
 	if fileInfo.Mode()&os.ModeSocket == os.ModeSocket {
 		return nil
 	}
 	var link string
 	if fileInfo.Mode()&os.ModeSymlink == os.ModeSymlink {
 		var err error
 		if link, err = os.Readlink(path); err != nil {
 			return fmt.Errorf("writeTarball: error resolving symlink %s: %w", path, err)
 		}
 	}
 	header, err := tar.FileInfoHeader(fileInfo, link)
 	if err != nil {
 		return fmt.Errorf("writeTarball: error getting file info header: %w", err)
 	}
 	header.Name = strings.TrimPrefix(path, prefix)
 	err = tarWriter.WriteHeader(header)
 	if err != nil {
 		return fmt.Errorf("writeTarball: error writing file info header: %w", err)
 	}
 	if !fileInfo.Mode().IsRegular() {
 		return nil
 	}
 	file, err := os.Open(path)
 	if err != nil {
 		return fmt.Errorf("writeTarball: error opening %s: %w", path, err)
 	}
 	defer file.Close()
 	_, err = io.Copy(tarWriter, file)
 	if err != nil {
 		return fmt.Errorf("writeTarball: error copying %s to tar writer: %w", path, err)
 	}
 	return nil
 }
--- a/cmd/backup/config.go
+++ b/cmd/backup/config.go
@@ -0,0 +1,174 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"os"
 	"regexp"
 	"strconv"
 	"time"
 )
 // Config holds all configuration values that are expected to be set
 // by users.
 type Config struct {
 	AwsS3BucketName               string          `split_words:"true"`
 	AwsS3Path                     string          `split_words:"true"`
 	AwsEndpoint                   string          `split_words:"true" default:"s3.amazonaws.com"`
 	AwsEndpointProto              string          `split_words:"true" default:"https"`
 	AwsEndpointInsecure           bool            `split_words:"true"`
 	AwsEndpointCACert             CertDecoder     `envconfig:"AWS_ENDPOINT_CA_CERT"`
 	AwsStorageClass               string          `split_words:"true"`
 	AwsAccessKeyID                string          `envconfig:"AWS_ACCESS_KEY_ID"`
 	AwsSecretAccessKey            string          `split_words:"true"`
 	AwsIamRoleEndpoint            string          `split_words:"true"`
 	AwsPartSize                   int64           `split_words:"true"`
 	BackupCompression             CompressionType `split_words:"true" default:"gz"`
 	GzipParallelism               WholeNumber     `split_words:"true" default:"1"`
 	BackupSources                 string          `split_words:"true" default:"/backup"`
 	BackupFilename                string          `split_words:"true" default:"backup-%Y-%m-%dT%H-%M-%S.{{ .Extension }}"`
 	BackupFilenameExpand          bool            `split_words:"true"`
 	BackupLatestSymlink           string          `split_words:"true"`
 	BackupArchive                 string          `split_words:"true" default:"/archive"`
 	BackupCronExpression          string          `split_words:"true" default:"@daily"`
 	BackupRetentionDays           int32           `split_words:"true" default:"-1"`
 	BackupPruningLeeway           time.Duration   `split_words:"true" default:"1m"`
 	BackupPruningPrefix           string          `split_words:"true"`
 	BackupStopContainerLabel      string          `split_words:"true"`
 	BackupStopDuringBackupLabel   string          `split_words:"true" default:"true"`
 	BackupStopServiceTimeout      time.Duration   `split_words:"true" default:"5m"`
 	BackupFromSnapshot            bool            `split_words:"true"`
 	BackupExcludeRegexp           RegexpDecoder   `split_words:"true"`
 	BackupSkipBackendsFromPrune   []string        `split_words:"true"`
 	GpgPassphrase                 string          `split_words:"true"`
 	NotificationURLs              []string        `envconfig:"NOTIFICATION_URLS"`
 	NotificationLevel             string          `split_words:"true" default:"error"`
 	EmailNotificationRecipient    string          `split_words:"true"`
 	EmailNotificationSender       string          `split_words:"true" default:"noreply@nohost"`
 	EmailSMTPHost                 string          `envconfig:"EMAIL_SMTP_HOST"`
 	EmailSMTPPort                 int             `envconfig:"EMAIL_SMTP_PORT" default:"587"`
 	EmailSMTPUsername             string          `envconfig:"EMAIL_SMTP_USERNAME"`
 	EmailSMTPPassword             string          `envconfig:"EMAIL_SMTP_PASSWORD"`
 	WebdavUrl                     string          `split_words:"true"`
 	WebdavUrlInsecure             bool            `split_words:"true"`
 	WebdavPath                    string          `split_words:"true" default:"/"`
 	WebdavUsername                string          `split_words:"true"`
 	WebdavPassword                string          `split_words:"true"`
 	SSHHostName                   string          `split_words:"true"`
 	SSHPort                       string          `split_words:"true" default:"22"`
 	SSHUser                       string          `split_words:"true"`
 	SSHPassword                   string          `split_words:"true"`
 	SSHIdentityFile               string          `split_words:"true" default:"/root/.ssh/id_rsa"`
 	SSHIdentityPassphrase         string          `split_words:"true"`
 	SSHRemotePath                 string          `split_words:"true"`
 	ExecLabel                     string          `split_words:"true"`
 	ExecForwardOutput             bool            `split_words:"true"`
 	LockTimeout                   time.Duration   `split_words:"true" default:"60m"`
 	AzureStorageAccountName       string          `split_words:"true"`
 	AzureStoragePrimaryAccountKey string          `split_words:"true"`
 	AzureStorageContainerName     string          `split_words:"true"`
 	AzureStoragePath              string          `split_words:"true"`
 	AzureStorageEndpoint          string          `split_words:"true" default:"https://{{ .AccountName }}.blob.core.windows.net/"`
 	DropboxEndpoint               string          `split_words:"true" default:"https://api.dropbox.com/"`
 	DropboxOAuth2Endpoint         string          `envconfig:"DROPBOX_OAUTH2_ENDPOINT" default:"https://api.dropbox.com/"`
 	DropboxRefreshToken           string          `split_words:"true"`
 	DropboxAppKey                 string          `split_words:"true"`
 	DropboxAppSecret              string          `split_words:"true"`
 	DropboxRemotePath             string          `split_words:"true"`
 	DropboxConcurrencyLevel       NaturalNumber   `split_words:"true" default:"6"`
 }
 type CompressionType string
 func (c *CompressionType) Decode(v string) error {
 	switch v {
 	case "gz", "zst":
 		*c = CompressionType(v)
 		return nil
 	default:
 		return fmt.Errorf("config: error decoding compression type %s", v)
 	}
 }
 func (c *CompressionType) String() string {
 	return string(*c)
 }
 type CertDecoder struct {
 	Cert *x509.Certificate
 }
 func (c *CertDecoder) Decode(v string) error {
 	if v == "" {
 		return nil
 	}
 	content, err := os.ReadFile(v)
 	if err != nil {
 		content = []byte(v)
 	}
 	block, _ := pem.Decode(content)
 	cert, err := x509.ParseCertificate(block.Bytes)
 	if err != nil {
 		return fmt.Errorf("config: error parsing certificate: %w", err)
 	}
 	*c = CertDecoder{Cert: cert}
 	return nil
 }
 type RegexpDecoder struct {
 	Re *regexp.Regexp
 }
 func (r *RegexpDecoder) Decode(v string) error {
 	if v == "" {
 		return nil
 	}
 	re, err := regexp.Compile(v)
 	if err != nil {
 		return fmt.Errorf("config: error compiling given regexp `%s`: %w", v, err)
 	}
 	*r = RegexpDecoder{Re: re}
 	return nil
 }
 // NaturalNumber is a type that can be used to decode a positive, non-zero natural number
 type NaturalNumber int
 func (n *NaturalNumber) Decode(v string) error {
 	asInt, err := strconv.Atoi(v)
 	if err != nil {
 		return fmt.Errorf("config: error converting %s to int", v)
 	}
 	if asInt <= 0 {
 		return fmt.Errorf("config: expected a natural number, got %d", asInt)
 	}
 	*n = NaturalNumber(asInt)
 	return nil
 }
 func (n *NaturalNumber) Int() int {
 	return int(*n)
 }
 // WholeNumber is a type that can be used to decode a positive whole number, including zero
 type WholeNumber int
 func (n *WholeNumber) Decode(v string) error {
 	asInt, err := strconv.Atoi(v)
 	if err != nil {
 		return fmt.Errorf("config: error converting %s to int", v)
 	}
 	if asInt < 0 {
 		return fmt.Errorf("config: expected a whole, positive number, including zero. Got %d", asInt)
 	}
 	*n = WholeNumber(asInt)
 	return nil
 }
 func (n *WholeNumber) Int() int {
 	return int(*n)
 }
--- a/cmd/backup/config_provider.go
+++ b/cmd/backup/config_provider.go
@@ -0,0 +1,87 @@
 // Copyright 2021-2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"github.com/joho/godotenv"
 	"github.com/offen/envconfig"
 )
 // envProxy is a function that mimics os.LookupEnv but can read values from any other source
 type envProxy func(string) (string, bool)
 func loadConfig(lookup envProxy) (*Config, error) {
 	envconfig.Lookup = func(key string) (string, bool) {
 		value, okValue := lookup(key)
 		location, okFile := lookup(key + "_FILE")
 		switch {
 		case okValue && !okFile: // only value
 			return value, true
 		case !okValue && okFile: // only file
 			contents, err := os.ReadFile(location)
 			if err != nil {
 				return "", false
 			}
 			return string(contents), true
 		case okValue && okFile: // both
 			return "", false
 		default: // neither, ignore
 			return "", false
 		}
 	}
 	var c = &Config{}
 	if err := envconfig.Process("", c); err != nil {
 		return nil, fmt.Errorf("loadConfig: failed to process configuration values: %w", err)
 	}
 	return c, nil
 }
 func loadEnvVars() (*Config, error) {
 	return loadConfig(os.LookupEnv)
 }
 type configFile struct {
 	name   string
 	config *Config
 }
 func loadEnvFiles(directory string) ([]configFile, error) {
 	items, err := os.ReadDir(directory)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil, err
 		}
 		return nil, fmt.Errorf("loadEnvFiles: failed to read files from env directory: %w", err)
 	}
 	cs := []configFile{}
 	for _, item := range items {
 		if item.IsDir() {
 			continue
 		}
 		p := filepath.Join(directory, item.Name())
 		envFile, err := godotenv.Read(p)
 		if err != nil {
 			return nil, fmt.Errorf("loadEnvFiles: error reading config file %s: %w", p, err)
 		}
 		lookup := func(key string) (string, bool) {
 			val, ok := envFile[key]
 			return val, ok
 		}
 		c, err := loadConfig(lookup)
 		if err != nil {
 			return nil, fmt.Errorf("loadEnvFiles: error loading config from file %s: %w", p, err)
 		}
 		cs = append(cs, configFile{config: c, name: item.Name()})
 	}
 	return cs, nil
 }
--- a/cmd/backup/cron.go
+++ b/cmd/backup/cron.go
@@ -0,0 +1,29 @@
 // Copyright 2024 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"time"
 	"github.com/robfig/cron/v3"
 )
 // checkCronSchedule detects whether the given cron expression will actually
 // ever be executed or not.
 func checkCronSchedule(expression string) (ok bool) {
 	defer func() {
 		if err := recover(); err != nil {
 			ok = false
 		}
 	}()
 	sched, err := cron.ParseStandard(expression)
 	if err != nil {
 		ok = false
 		return
 	}
 	now := time.Now()
 	sched.Next(now) // panics when the cron would never run
 	ok = true
 	return
 }
--- a/cmd/backup/exec.go
+++ b/cmd/backup/exec.go
@@ -0,0 +1,205 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 // Portions of this file are taken and adapted from `moby`, Copyright 2012-2017 Docker, Inc.
 // Licensed under the Apache 2.0 License: https://github.com/moby/moby/blob/8e610b2b55bfd1bfa9436ab110d311f5e8a74dcb/LICENSE
 package main
 import (
 	"bytes"
 	"context"
 	"fmt"
 	"io"
 	"os"
 	"strings"
 	"github.com/cosiner/argv"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/pkg/stdcopy"
 	"golang.org/x/sync/errgroup"
 )
 func (s *script) exec(containerRef string, command string, user string) ([]byte, []byte, error) {
 	args, _ := argv.Argv(command, nil, nil)
 	commandEnv := []string{
 		fmt.Sprintf("COMMAND_RUNTIME_ARCHIVE_FILEPATH=%s", s.file),
 	}
 	execID, err := s.cli.ContainerExecCreate(context.Background(), containerRef, types.ExecConfig{
 		Cmd:          args[0],
 		AttachStdin:  true,
 		AttachStderr: true,
 		Env:          commandEnv,
 		User:         user,
 	})
 	if err != nil {
 		return nil, nil, fmt.Errorf("exec: error creating container exec: %w", err)
 	}
 	resp, err := s.cli.ContainerExecAttach(context.Background(), execID.ID, types.ExecStartCheck{})
 	if err != nil {
 		return nil, nil, fmt.Errorf("exec: error attaching container exec: %w", err)
 	}
 	defer resp.Close()
 	var outBuf, errBuf bytes.Buffer
 	outputDone := make(chan error)
 	go func() {
 		_, err := stdcopy.StdCopy(&outBuf, &errBuf, resp.Reader)
 		outputDone <- err
 	}()
 	if err := <-outputDone; err != nil {
 		return nil, nil, fmt.Errorf("exec: error demultiplexing output: %w", err)
 	}
 	stdout, err := io.ReadAll(&outBuf)
 	if err != nil {
 		return nil, nil, fmt.Errorf("exec: error reading stdout: %w", err)
 	}
 	stderr, err := io.ReadAll(&errBuf)
 	if err != nil {
 		return nil, nil, fmt.Errorf("exec: error reading stderr: %w", err)
 	}
 	res, err := s.cli.ContainerExecInspect(context.Background(), execID.ID)
 	if err != nil {
 		return nil, nil, fmt.Errorf("exec: error inspecting container exec: %w", err)
 	}
 	if res.ExitCode > 0 {
 		return stdout, stderr, fmt.Errorf("exec: running command exited %d", res.ExitCode)
 	}
 	return stdout, stderr, nil
 }
 func (s *script) runLabeledCommands(label string) error {
 	f := []filters.KeyValuePair{
 		{Key: "label", Value: label},
 	}
 	if s.c.ExecLabel != "" {
 		f = append(f, filters.KeyValuePair{
 			Key:   "label",
 			Value: fmt.Sprintf("docker-volume-backup.exec-label=%s", s.c.ExecLabel),
 		})
 	}
 	containersWithCommand, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
 		Filters: filters.NewArgs(f...),
 	})
 	if err != nil {
 		return fmt.Errorf("runLabeledCommands: error querying for containers: %w", err)
 	}
 	var hasDeprecatedContainers bool
 	if label == "docker-volume-backup.archive-pre" {
 		f[0] = filters.KeyValuePair{
 			Key:   "label",
 			Value: "docker-volume-backup.exec-pre",
 		}
 		deprecatedContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
 			Filters: filters.NewArgs(f...),
 		})
 		if err != nil {
 			return fmt.Errorf("runLabeledCommands: error querying for containers: %w", err)
 		}
 		if len(deprecatedContainers) != 0 {
 			hasDeprecatedContainers = true
 			containersWithCommand = append(containersWithCommand, deprecatedContainers...)
 		}
 	}
 	if label == "docker-volume-backup.archive-post" {
 		f[0] = filters.KeyValuePair{
 			Key:   "label",
 			Value: "docker-volume-backup.exec-post",
 		}
 		deprecatedContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
 			Filters: filters.NewArgs(f...),
 		})
 		if err != nil {
 			return fmt.Errorf("runLabeledCommands: error querying for containers: %w", err)
 		}
 		if len(deprecatedContainers) != 0 {
 			hasDeprecatedContainers = true
 			containersWithCommand = append(containersWithCommand, deprecatedContainers...)
 		}
 	}
 	if len(containersWithCommand) == 0 {
 		return nil
 	}
 	if hasDeprecatedContainers {
 		s.logger.Warn(
 			"Using `docker-volume-backup.exec-pre` and `docker-volume-backup.exec-post` labels has been deprecated and will be removed in the next major version.",
 		)
 		s.logger.Warn(
 			"Please use other `-pre` and `-post` labels instead. Refer to the README for an upgrade guide.",
 		)
 	}
 	g := new(errgroup.Group)
 	for _, container := range containersWithCommand {
 		c := container
 		g.Go(func() error {
 			cmd, ok := c.Labels[label]
 			if !ok && label == "docker-volume-backup.archive-pre" {
 				cmd = c.Labels["docker-volume-backup.exec-pre"]
 			} else if !ok && label == "docker-volume-backup.archive-post" {
 				cmd = c.Labels["docker-volume-backup.exec-post"]
 			}
 			userLabelName := fmt.Sprintf("%s.user", label)
 			user := c.Labels[userLabelName]
 			s.logger.Info(fmt.Sprintf("Running %s command %s for container %s", label, cmd, strings.TrimPrefix(c.Names[0], "/")))
 			stdout, stderr, err := s.exec(c.ID, cmd, user)
 			if s.c.ExecForwardOutput {
 				os.Stderr.Write(stderr)
 				os.Stdout.Write(stdout)
 			}
 			if err != nil {
 				return fmt.Errorf("runLabeledCommands: error executing command: %w", err)
 			}
 			return nil
 		})
 	}
 	if err := g.Wait(); err != nil {
 		return fmt.Errorf("runLabeledCommands: error from errgroup: %w", err)
 	}
 	return nil
 }
 type lifecyclePhase string
 const (
 	lifecyclePhaseArchive lifecyclePhase = "archive"
 	lifecyclePhaseProcess lifecyclePhase = "process"
 	lifecyclePhaseCopy    lifecyclePhase = "copy"
 	lifecyclePhasePrune   lifecyclePhase = "prune"
 )
 func (s *script) withLabeledCommands(step lifecyclePhase, cb func() error) func() error {
 	if s.cli == nil {
 		return cb
 	}
 	return func() (err error) {
 		if err = s.runLabeledCommands(fmt.Sprintf("docker-volume-backup.%s-pre", step)); err != nil {
 			err = fmt.Errorf("withLabeledCommands: %s: error running pre commands: %w", step, err)
 			return
 		}
 		defer func() {
 			derr := s.runLabeledCommands(fmt.Sprintf("docker-volume-backup.%s-post", step))
 			if err == nil && derr != nil {
 				err = derr
 			}
 		}()
 		err = cb()
 		return
 	}
 }
--- a/cmd/backup/hooks.go
+++ b/cmd/backup/hooks.go
@@ -0,0 +1,57 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"errors"
 	"fmt"
 	"sort"
 )
 // hook contains a queued action that can be trigger them when the script
 // reaches a certain point (e.g. unsuccessful backup)
 type hook struct {
 	level  hookLevel
 	action func(err error) error
 }
 type hookLevel int
 const (
 	hookLevelPlumbing hookLevel = iota
 	hookLevelError
 	hookLevelInfo
 )
 var hookLevels = map[string]hookLevel{
 	"info":  hookLevelInfo,
 	"error": hookLevelError,
 }
 // registerHook adds the given action at the given level.
 func (s *script) registerHook(level hookLevel, action func(err error) error) {
 	s.hooks = append(s.hooks, hook{level, action})
 }
 // runHooks runs all hooks that have been registered using the
 // given levels in the defined ordering. In case executing a hook returns an
 // error, the following hooks will still be run before the function returns.
 func (s *script) runHooks(err error) error {
 	sort.SliceStable(s.hooks, func(i, j int) bool {
 		return s.hooks[i].level < s.hooks[j].level
 	})
 	var actionErrors []error
 	for _, hook := range s.hooks {
 		if hook.level > s.hookLevel {
 			continue
 		}
 		if actionErr := hook.action(err); actionErr != nil {
 			actionErrors = append(actionErrors, fmt.Errorf("runHooks: error running hook: %w", actionErr))
 		}
 	}
 	if len(actionErrors) != 0 {
 		return errors.Join(actionErrors...)
 	}
 	return nil
 }
--- a/cmd/backup/lock.go
+++ b/cmd/backup/lock.go
@@ -0,0 +1,60 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"errors"
 	"fmt"
 	"time"
 	"github.com/gofrs/flock"
 )
 // lock opens a lockfile at the given location, keeping it locked until the
 // caller invokes the returned release func. In case the lock is currently blocked
 // by another execution, it will repeatedly retry until the lock is available
 // or the given timeout is exceeded.
 func (s *script) lock(lockfile string) (func() error, error) {
 	start := time.Now()
 	defer func() {
 		s.stats.LockedTime = time.Since(start)
 	}()
 	retry := time.NewTicker(5 * time.Second)
 	defer retry.Stop()
 	deadline := time.NewTimer(s.c.LockTimeout)
 	defer deadline.Stop()
 	fileLock := flock.New(lockfile)
 	for {
 		acquired, err := fileLock.TryLock()
 		if err != nil {
 			return noop, fmt.Errorf("lock: error trying to lock: %w", err)
 		}
 		if acquired {
 			if s.encounteredLock {
 				s.logger.Info("Acquired exclusive lock on subsequent attempt, ready to continue.")
 			}
 			return fileLock.Unlock, nil
 		}
 		if !s.encounteredLock {
 			s.logger.Info(
 				fmt.Sprintf(
 					"Exclusive lock was not available on first attempt. Will retry until it becomes available or the timeout of %s is exceeded.",
 					s.c.LockTimeout,
 				),
 			)
 			s.encounteredLock = true
 		}
 		select {
 		case <-retry.C:
 			continue
 		case <-deadline.C:
 			return noop, errors.New("lock: timed out waiting for lockfile to become available")
 		}
 	}
 }
--- a/cmd/backup/main.go
+++ b/cmd/backup/main.go
@@ -1,675 +1,249 @@
-// Copyright 2021 - Offen Authors <hioffen@posteo.de>
+// Copyright 2021-2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
-	"bytes"
+	"flag"
 	"context"
 	"errors"
 	"fmt"
-	"io"
+	"log/slog"
 	"os"
-	"path"
+	"os/signal"
-	"path/filepath"
+	"runtime"
-	"strings"
+	"syscall"
 	"time"
-	"github.com/docker/docker/api/types"
+	"github.com/robfig/cron/v3"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/client"
 	"github.com/go-gomail/gomail"
 	"github.com/gofrs/flock"
 	"github.com/kelseyhightower/envconfig"
 	"github.com/leekchan/timeutil"
 	"github.com/m90/targz"
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/crypto/openpgp"
 )
-func main() {
+type command struct {
-	unlock := lock("/var/lock/dockervolumebackup.lock")
+	logger *slog.Logger
-	defer unlock()
+}
-	s, err := newScript()
+func newCommand() *command {
-	if err != nil {
+	return &command{
-		panic(err)
+		logger: slog.New(slog.NewTextHandler(os.Stdout, nil)),
 	}
 }
-	defer func() {
+func (c *command) must(err error) {
-		if err := recover(); err != nil {
+	if err != nil {
-			if e, ok := err.(error); ok && strings.Contains(e.Error(), msgBackupFailed) {
+		c.logger.Error(
 			fmt.Sprintf("Fatal error running command: %v", err),
 			"error",
 			err,
 		)
 		os.Exit(1)
 	}
-			panic(err)
+}
 func runScript(c *Config) (err error) {
 	defer func() {
 		if derr := recover(); derr != nil {
 			err = fmt.Errorf("runScript: unexpected panic running script: %v", err)
 		}
 	}()
-	s.must(func() error {
+	s, err := newScript(c)
-		restartContainers, err := s.stopContainers()
+	if err != nil {
 		err = fmt.Errorf("runScript: error instantiating script: %w", err)
 		return
 	}
 	runErr := func() (err error) {
 		unlock, err := s.lock("/var/lock/dockervolumebackup.lock")
 		if err != nil {
 			err = fmt.Errorf("runScript: error acquiring file lock: %w", err)
 			return
 		}
 		defer func() {
-			s.must(restartContainers())
+			derr := unlock()
 			if err == nil && derr != nil {
 				err = fmt.Errorf("runScript: error releasing file lock: %w", derr)
 			}
 		}()
 		scriptErr := func() error {
 			if err := s.withLabeledCommands(lifecyclePhaseArchive, func() (err error) {
 				restartContainersAndServices, err := s.stopContainersAndServices()
 				// The mechanism for restarting containers is not using hooks as it
 				// should happen as soon as possible (i.e. before uploading backups or
 				// similar).
 				defer func() {
 					derr := restartContainersAndServices()
 					if err == nil {
 						err = derr
 					}
 				}()
 				if err != nil {
 					return
 				}
 				err = s.createArchive()
 				return
 			})(); err != nil {
 				return err
 			}
 		return s.takeBackup()
 	}())
-	s.must(func() error {
+			if err := s.withLabeledCommands(lifecyclePhaseProcess, s.encryptArchive)(); err != nil {
-		defer func() {
+				return err
-			s.must(s.removeArtifacts())
+			}
 			if err := s.withLabeledCommands(lifecyclePhaseCopy, s.copyArchive)(); err != nil {
 				return err
 			}
 			if err := s.withLabeledCommands(lifecyclePhasePrune, s.pruneBackups)(); err != nil {
 				return err
 			}
 			return nil
 		}()
 		s.must(s.encryptBackup())
 		return s.copyBackup()
 	}())
-	s.must(s.pruneOldBackups())
+		if hookErr := s.runHooks(scriptErr); hookErr != nil {
-	s.logger.Info("Finished running backup tasks.")
+			if scriptErr != nil {
 }
 // script holds all the stateful information required to orchestrate a
 // single backup run.
 type script struct {
 	cli    *client.Client
 	mc     *minio.Client
 	logger *logrus.Logger
 	hooks  []hook
 	start  time.Time
 	file   string
 	output *bytes.Buffer
 	c *config
 }
 type config struct {
 	BackupSources              string        `split_words:"true" default:"/backup"`
 	BackupFilename             string        `split_words:"true" default:"backup-%Y-%m-%dT%H-%M-%S.tar.gz"`
 	BackupLatestSymlink        string        `split_words:"true"`
 	BackupArchive              string        `split_words:"true" default:"/archive"`
 	BackupRetentionDays        int32         `split_words:"true" default:"-1"`
 	BackupPruningLeeway        time.Duration `split_words:"true" default:"1m"`
 	BackupPruningPrefix        string        `split_words:"true"`
 	BackupStopContainerLabel   string        `split_words:"true" default:"true"`
 	AwsS3BucketName            string        `split_words:"true"`
 	AwsEndpoint                string        `split_words:"true" default:"s3.amazonaws.com"`
 	AwsEndpointProto           string        `split_words:"true" default:"https"`
 	AwsEndpointInsecure        bool          `split_words:"true"`
 	AwsAccessKeyID             string        `envconfig:"AWS_ACCESS_KEY_ID"`
 	AwsSecretAccessKey         string        `split_words:"true"`
 	AwsIamRoleEndpoint         string        `split_words:"true"`
 	GpgPassphrase              string        `split_words:"true"`
 	EmailNotificationRecipient string        `split_words:"true"`
 	EmailNotificationSender    string        `split_words:"true" default:"noreply@nohost"`
 	EmailSMTPHost              string        `envconfig:"EMAIL_SMTP_HOST"`
 	EmailSMTPPort              int           `envconfig:"EMAIL_SMTP_PORT" default:"587"`
 	EmailSMTPUsername          string        `envconfig:"EMAIL_SMTP_USERNAME"`
 	EmailSMTPPassword          string        `envconfig:"EMAIL_SMTP_PASSWORD"`
 }
 var msgBackupFailed = "backup run failed"
 // newScript creates all resources needed for the script to perform actions against
 // remote resources like the Docker engine or remote storage locations. All
 // reading from env vars or other configuration sources is expected to happen
 // in this method.
 func newScript() (*script, error) {
 	stdOut, logBuffer := buffer(os.Stdout)
 	s := &script{
 		c: &config{},
 		logger: &logrus.Logger{
 			Out:       stdOut,
 			Formatter: new(logrus.TextFormatter),
 			Hooks:     make(logrus.LevelHooks),
 			Level:     logrus.InfoLevel,
 		},
 		start:  time.Now(),
 		output: logBuffer,
 	}
 	if err := envconfig.Process("", s.c); err != nil {
 		return nil, fmt.Errorf("newScript: failed to process configuration values: %w", err)
 	}
 	s.file = path.Join("/tmp", s.c.BackupFilename)
 	_, err := os.Stat("/var/run/docker.sock")
 	if !os.IsNotExist(err) {
 		cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
 		if err != nil {
 			return nil, fmt.Errorf("newScript: failed to create docker client")
 		}
 		s.cli = cli
 	}
 	if s.c.AwsS3BucketName != "" {
 		var creds *credentials.Credentials
 		if s.c.AwsAccessKeyID != "" && s.c.AwsSecretAccessKey != "" {
 			creds = credentials.NewStaticV4(
 				s.c.AwsAccessKeyID,
 				s.c.AwsSecretAccessKey,
 				"",
 			)
 		} else if s.c.AwsIamRoleEndpoint != "" {
 			creds = credentials.NewIAM(s.c.AwsIamRoleEndpoint)
 		} else {
 			return nil, errors.New("newScript: AWS_S3_BUCKET_NAME is defined, but no credentials were provided")
 		}
 		options := minio.Options{
 			Creds:  creds,
 			Secure: s.c.AwsEndpointProto == "https",
 		}
 		if s.c.AwsEndpointInsecure {
 			if !options.Secure {
 				return nil, errors.New("newScript: AWS_ENDPOINT_INSECURE = true is only meaningful for https")
 			}
 			transport, err := minio.DefaultTransport(true)
 			if err != nil {
 				return nil, fmt.Errorf("newScript: failed to create default minio transport")
 			}
 			transport.TLSClientConfig.InsecureSkipVerify = true
 			options.Transport = transport
 		}
 		mc, err := minio.New(s.c.AwsEndpoint, &options)
 		if err != nil {
 			return nil, fmt.Errorf("newScript: error setting up minio client: %w", err)
 		}
 		s.mc = mc
 	}
 	if s.c.EmailNotificationRecipient != "" {
 		s.hooks = append(s.hooks, hook{hookLevelFailure, func(err error, start time.Time, logOutput string) error {
 			mailer := gomail.NewDialer(
 				s.c.EmailSMTPHost, s.c.EmailSMTPPort, s.c.EmailSMTPUsername, s.c.EmailSMTPPassword,
 			)
 			subject := fmt.Sprintf(
 				"Failure running docker-volume-backup at %s", start.Format(time.RFC3339),
 			)
 			body := fmt.Sprintf(
 				"Running docker-volume-backup failed with error: %s\n\nLog output of the failed run was:\n\n%s\n", err, logOutput,
 			)
 			message := gomail.NewMessage()
 			message.SetHeader("From", s.c.EmailNotificationSender)
 			message.SetHeader("To", s.c.EmailNotificationRecipient)
 			message.SetHeader("Subject", subject)
 			message.SetBody("text/plain", body)
 			return mailer.DialAndSend(message)
 		}})
 	}
 	return s, nil
 }
 var noop = func() error { return nil }
 // stopContainers stops all Docker containers that are marked as to being
 // stopped during the backup and returns a function that can be called to
 // restart everything that has been stopped.
 func (s *script) stopContainers() (func() error, error) {
 	if s.cli == nil {
 		return noop, nil
 	}
 	allContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
 		Quiet: true,
 	})
 	if err != nil {
 		return noop, fmt.Errorf("stopContainersAndRun: error querying for containers: %w", err)
 	}
 	containerLabel := fmt.Sprintf(
 		"docker-volume-backup.stop-during-backup=%s",
 		s.c.BackupStopContainerLabel,
 	)
 	containersToStop, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
 		Quiet: true,
 		Filters: filters.NewArgs(filters.KeyValuePair{
 			Key:   "label",
 			Value: containerLabel,
 		}),
 	})
 	if err != nil {
 		return noop, fmt.Errorf("stopContainersAndRun: error querying for containers to stop: %w", err)
 	}
 	if len(containersToStop) == 0 {
 		return noop, nil
 	}
 	s.logger.Infof(
 		"Stopping %d container(s) labeled `%s` out of %d running container(s).",
 		len(containersToStop),
 		containerLabel,
 		len(allContainers),
 	)
 	var stoppedContainers []types.Container
 	var stopErrors []error
 	for _, container := range containersToStop {
 		if err := s.cli.ContainerStop(context.Background(), container.ID, nil); err != nil {
 			stopErrors = append(stopErrors, err)
 		} else {
 			stoppedContainers = append(stoppedContainers, container)
 		}
 	}
 	var stopError error
 	if len(stopErrors) != 0 {
 		stopError = fmt.Errorf(
 			"stopContainersAndRun: %d error(s) stopping containers: %w",
 			len(stopErrors),
 			join(stopErrors...),
 		)
 	}
 	return func() error {
 		servicesRequiringUpdate := map[string]struct{}{}
 		var restartErrors []error
 		for _, container := range stoppedContainers {
 			if swarmServiceName, ok := container.Labels["com.docker.swarm.service.name"]; ok {
 				servicesRequiringUpdate[swarmServiceName] = struct{}{}
 				continue
 			}
 			if err := s.cli.ContainerStart(context.Background(), container.ID, types.ContainerStartOptions{}); err != nil {
 				restartErrors = append(restartErrors, err)
 			}
 		}
 		if len(servicesRequiringUpdate) != 0 {
 			services, _ := s.cli.ServiceList(context.Background(), types.ServiceListOptions{})
 			for serviceName := range servicesRequiringUpdate {
 				var serviceMatch swarm.Service
 				for _, service := range services {
 					if service.Spec.Name == serviceName {
 						serviceMatch = service
 						break
 					}
 				}
 				if serviceMatch.ID == "" {
 					return fmt.Errorf("stopContainersAndRun: couldn't find service with name %s", serviceName)
 				}
 				serviceMatch.Spec.TaskTemplate.ForceUpdate = 1
 				_, err := s.cli.ServiceUpdate(
 					context.Background(), serviceMatch.ID,
 					serviceMatch.Version, serviceMatch.Spec, types.ServiceUpdateOptions{},
 				)
 				if err != nil {
 					restartErrors = append(restartErrors, err)
 				}
 			}
 		}
 		if len(restartErrors) != 0 {
 				return fmt.Errorf(
-				"stopContainersAndRun: %d error(s) restarting containers and services: %w",
+					"runScript: error %w executing the script followed by %w calling the registered hooks",
-				len(restartErrors),
+					scriptErr,
-				join(restartErrors...),
+					hookErr,
 				)
 			}
 		s.logger.Infof(
 			"Restarted %d container(s) and the matching service(s).",
 			len(stoppedContainers),
 		)
 		return nil
 	}, stopError
 }
 // takeBackup creates a tar archive of the configured backup location and
 // saves it to disk.
 func (s *script) takeBackup() error {
 	s.file = timeutil.Strftime(&s.start, s.file)
 	if err := targz.Compress(s.c.BackupSources, s.file); err != nil {
 		return fmt.Errorf("takeBackup: error compressing backup folder: %w", err)
 	}
 	s.logger.Infof("Created backup of `%s` at `%s`.", s.c.BackupSources, s.file)
 	return nil
 }
 // encryptBackup encrypts the backup file using PGP and the configured passphrase.
 // In case no passphrase is given it returns early, leaving the backup file
 // untouched.
 func (s *script) encryptBackup() error {
 	if s.c.GpgPassphrase == "" {
 		return nil
 	}
 	defer os.Remove(s.file)
 	gpgFile := fmt.Sprintf("%s.gpg", s.file)
 	outFile, err := os.Create(gpgFile)
 	defer outFile.Close()
 	if err != nil {
 		return fmt.Errorf("encryptBackup: error opening out file: %w", err)
 	}
 	_, name := path.Split(s.file)
 	dst, err := openpgp.SymmetricallyEncrypt(outFile, []byte(s.c.GpgPassphrase), &openpgp.FileHints{
 		IsBinary: true,
 		FileName: name,
 	}, nil)
 	defer dst.Close()
 	if err != nil {
 		return fmt.Errorf("encryptBackup: error encrypting backup file: %w", err)
 	}
 	src, err := os.Open(s.file)
 	if err != nil {
 		return fmt.Errorf("encryptBackup: error opening backup file %s: %w", s.file, err)
 	}
 	if _, err := io.Copy(dst, src); err != nil {
 		return fmt.Errorf("encryptBackup: error writing ciphertext to file: %w", err)
 	}
 	s.file = gpgFile
 	s.logger.Infof("Encrypted backup using given passphrase, saving as `%s`.", s.file)
 	return nil
 }
 // copyBackup makes sure the backup file is copied to both local and remote locations
 // as per the given configuration.
 func (s *script) copyBackup() error {
 	_, name := path.Split(s.file)
 	if s.mc != nil {
 		_, err := s.mc.FPutObject(context.Background(), s.c.AwsS3BucketName, name, s.file, minio.PutObjectOptions{
 			ContentType: "application/tar+gzip",
 		})
 		if err != nil {
 			return fmt.Errorf("copyBackup: error uploading backup to remote storage: %w", err)
 		}
 		s.logger.Infof("Uploaded a copy of backup `%s` to bucket `%s`.", s.file, s.c.AwsS3BucketName)
 	}
 	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
 		if err := copy(s.file, path.Join(s.c.BackupArchive, name)); err != nil {
 			return fmt.Errorf("copyBackup: error copying file to local archive: %w", err)
 		}
 		s.logger.Infof("Stored copy of backup `%s` in local archive `%s`.", s.file, s.c.BackupArchive)
 		if s.c.BackupLatestSymlink != "" {
 			symlink := path.Join(s.c.BackupArchive, s.c.BackupLatestSymlink)
 			if _, err := os.Lstat(symlink); err == nil {
 				os.Remove(symlink)
 			}
 			if err := os.Symlink(name, symlink); err != nil {
 				return fmt.Errorf("copyBackup: error creating latest symlink: %w", err)
 			}
 			s.logger.Infof("Created/Updated symlink `%s` for latest backup.", s.c.BackupLatestSymlink)
 		}
 	}
 	return nil
 }
 // removeArtifacts removes the backup file from disk.
 func (s *script) removeArtifacts() error {
 	_, err := os.Stat(s.file)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil
 		}
 		return fmt.Errorf("removeArtifacts: error calling stat on file %s: %w", s.file, err)
 	}
 	if err := os.Remove(s.file); err != nil {
 		return fmt.Errorf("removeArtifacts: error removing file %s: %w", s.file, err)
 	}
 	s.logger.Infof("Removed local artifacts %s.", s.file)
 	return nil
 }
 // pruneOldBackups rotates away backups from local and remote storages using
 // the given configuration. In case the given configuration would delete all
 // backups, it does nothing instead.
 func (s *script) pruneOldBackups() error {
 	if s.c.BackupRetentionDays < 0 {
 		return nil
 	}
 	if s.c.BackupPruningLeeway != 0 {
 		s.logger.Infof("Sleeping for %s before pruning backups.", s.c.BackupPruningLeeway)
 		time.Sleep(s.c.BackupPruningLeeway)
 	}
 	deadline := time.Now().AddDate(0, 0, -int(s.c.BackupRetentionDays))
 	if s.mc != nil {
 		candidates := s.mc.ListObjects(context.Background(), s.c.AwsS3BucketName, minio.ListObjectsOptions{
 			WithMetadata: true,
 			Prefix:       s.c.BackupPruningPrefix,
 		})
 		var matches []minio.ObjectInfo
 		var lenCandidates int
 		for candidate := range candidates {
 			lenCandidates++
 			if candidate.Err != nil {
 			return fmt.Errorf(
-					"pruneOldBackups: error looking up candidates from remote storage: %w",
+				"runScript: the script ran successfully, but an error occurred calling the registered hooks: %w",
-					candidate.Err,
+				hookErr,
 			)
 		}
-			if candidate.LastModified.Before(deadline) {
+		if scriptErr != nil {
-				matches = append(matches, candidate)
+			return fmt.Errorf("runScript: error running script: %w", scriptErr)
 		}
-		}
+		return nil
 		if len(matches) != 0 && len(matches) != lenCandidates {
 			objectsCh := make(chan minio.ObjectInfo)
 			go func() {
 				for _, match := range matches {
 					objectsCh <- match
 				}
 				close(objectsCh)
 	}()
 			errChan := s.mc.RemoveObjects(context.Background(), s.c.AwsS3BucketName, objectsCh, minio.RemoveObjectsOptions{})
 			var removeErrors []error
 			for result := range errChan {
 				if result.Err != nil {
 					removeErrors = append(removeErrors, result.Err)
 				}
 			}
-			if len(removeErrors) != 0 {
+	if runErr != nil {
-				return fmt.Errorf(
+		s.logger.Error(
-					"pruneOldBackups: %d error(s) removing files from remote storage: %w",
+			fmt.Sprintf("Script run failed: %v", runErr), "error", runErr,
 					len(removeErrors),
 					join(removeErrors...),
 		)
 	}
-			s.logger.Infof(
+	return runErr
-				"Pruned %d out of %d remote backup(s) as their age exceeded the configured retention period of %d days.",
+}
 				len(matches),
 				lenCandidates,
 				s.c.BackupRetentionDays,
 			)
 		} else if len(matches) != 0 && len(matches) == lenCandidates {
 			s.logger.Warnf(
 				"The current configuration would delete all %d remote backup copies.",
 				len(matches),
 			)
 			s.logger.Warn("Refusing to do so, please check your configuration.")
 		} else {
 			s.logger.Infof("None of %d remote backup(s) were pruned.", lenCandidates)
 		}
 	}
-	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
+func (c *command) runInForeground(profileCronExpression string) error {
-		candidates, err := filepath.Glob(
+	cr := cron.New(
-			path.Join(s.c.BackupArchive, fmt.Sprintf("%s*", s.c.BackupPruningPrefix)),
+		cron.WithParser(
 			cron.NewParser(
 				cron.SecondOptional | cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow | cron.Descriptor,
 			),
 		),
 	)
 		if err != nil {
 			return fmt.Errorf(
 				"pruneOldBackups: error looking up matching files, starting with: %w", err,
 			)
 		}
-		var matches []string
+	addJob := func(config *Config, name string) error {
-		for _, candidate := range candidates {
+		if _, err := cr.AddFunc(config.BackupCronExpression, func() {
-			fi, err := os.Stat(candidate)
+			c.logger.Info(
-			if err != nil {
+				fmt.Sprintf(
-				return fmt.Errorf(
+					"Now running script on schedule %s",
-					"pruneOldBackups: error calling stat on file %s: %w",
+					config.BackupCronExpression,
-					candidate,
+				),
 			)
 			if err := runScript(config); err != nil {
 				c.logger.Error(
 					fmt.Sprintf(
 						"Unexpected error running schedule %s: %v",
 						config.BackupCronExpression,
 						err,
 					),
 					"error",
 					err,
 				)
 			}
-
+		}); err != nil {
-			if fi.Mode() != os.ModeSymlink && fi.ModTime().Before(deadline) {
+			return fmt.Errorf("addJob: error adding schedule %s: %w", config.BackupCronExpression, err)
 				matches = append(matches, candidate)
 			}
 		}
-		if len(matches) != 0 && len(matches) != len(candidates) {
+		c.logger.Info(fmt.Sprintf("Successfully scheduled backup %s with expression %s", name, config.BackupCronExpression))
-			var removeErrors []error
+		if ok := checkCronSchedule(config.BackupCronExpression); !ok {
-			for _, candidate := range matches {
+			c.logger.Warn(
-				if err := os.Remove(candidate); err != nil {
+				fmt.Sprintf("Scheduled cron expression %s will never run, is this intentional?", config.BackupCronExpression),
 					removeErrors = append(removeErrors, err)
 				}
 			}
 			if len(removeErrors) != 0 {
 				return fmt.Errorf(
 					"pruneOldBackups: %d error(s) deleting local files, starting with: %w",
 					len(removeErrors),
 					join(removeErrors...),
 			)
 		}
-			s.logger.Infof(
+
-				"Pruned %d out of %d local backup(s) as their age exceeded the configured retention period of %d days.",
+		return nil
-				len(matches),
+	}
-				len(candidates),
+
-				s.c.BackupRetentionDays,
+	cs, err := loadEnvFiles("/etc/dockervolumebackup/conf.d")
-			)
+	if err != nil {
-		} else if len(matches) != 0 && len(matches) == len(candidates) {
+		if !os.IsNotExist(err) {
-			s.logger.Warnf(
+			return fmt.Errorf("runInForeground: could not load config from environment files: %w", err)
-				"The current configuration would delete all %d local backup copies.",
+		}
-				len(matches),
+
-			)
+		c, err := loadEnvVars()
-			s.logger.Warn("Refusing to do so, please check your configuration.")
+		if err != nil {
 			return fmt.Errorf("runInForeground: could not load config from environment variables: %w", err)
 		} else {
-			s.logger.Infof("None of %d local backup(s) were pruned.", len(candidates))
+			err = addJob(c, "from environment")
 			if err != nil {
 				return fmt.Errorf("runInForeground: error adding job from env: %w", err)
 			}
 		}
 	} else {
 		c.logger.Info("/etc/dockervolumebackup/conf.d was found, using configuration files from this directory.")
 		for _, config := range cs {
 			err = addJob(config.config, config.name)
 			if err != nil {
 				return fmt.Errorf("runInForeground: error adding jobs from conf files: %w", err)
 			}
 		}
 	}
 	if profileCronExpression != "" {
 		if _, err := cr.AddFunc(profileCronExpression, func() {
 			memStats := runtime.MemStats{}
 			runtime.ReadMemStats(&memStats)
 			c.logger.Info(
 				"Collecting runtime information",
 				"num_goroutines",
 				runtime.NumGoroutine(),
 				"memory_heap_alloc",
 				formatBytes(memStats.HeapAlloc, false),
 				"memory_heap_inuse",
 				formatBytes(memStats.HeapInuse, false),
 				"memory_heap_sys",
 				formatBytes(memStats.HeapSys, false),
 				"memory_heap_objects",
 				memStats.HeapObjects,
 			)
 		}); err != nil {
 			return fmt.Errorf("runInForeground: error adding profiling job: %w", err)
 		}
 	}
 	var quit = make(chan os.Signal, 1)
 	signal.Notify(quit, syscall.SIGTERM, syscall.SIGINT)
 	cr.Start()
 	<-quit
 	ctx := cr.Stop()
 	<-ctx.Done()
 	return nil
 }
-// runHooks runs all hooks that have been registered using the
+func (c *command) runAsCommand() error {
-// given level. In case executing a hook returns an error, the following
+	config, err := loadEnvVars()
-// hooks will still be run before the function returns an error.
+	if err != nil {
-func (s *script) runHooks(err error, targetLevel string) error {
+		return fmt.Errorf("runAsCommand: error loading env vars: %w", err)
 	var actionErrors []error
 	for _, hook := range s.hooks {
 		if hook.level != targetLevel {
 			continue
 	}
-		if err := hook.action(err, s.start, s.output.String()); err != nil {
+	err = runScript(config)
-			actionErrors = append(actionErrors, err)
+	if err != nil {
-		}
+		return fmt.Errorf("runAsCommand: error running script: %w", err)
 	}
 	if len(actionErrors) != 0 {
 		return join(actionErrors...)
 	}
 	return nil
 }
-// must exits the script run prematurely in case the given error
+func main() {
-// is non-nil. If failure hooks have been registered on the script object, they
+	foreground := flag.Bool("foreground", false, "run the tool in the foreground")
-// will be called, passing the failure and previous log output.
+	profile := flag.String("profile", "", "collect runtime metrics and log them periodically on the given cron expression")
-func (s *script) must(err error) {
+	flag.Parse()
-	if err != nil {
+
-		s.logger.Errorf("Fatal error running backup: %s", err)
+	c := newCommand()
-		if hookErr := s.runHooks(err, hookLevelFailure); hookErr != nil {
+	if *foreground {
-			s.logger.Errorf("An error occurred calling the registered failure hooks: %s", hookErr)
+		c.must(c.runInForeground(*profile))
-		}
+	} else {
-		panic(errors.New(msgBackupFailed))
+		c.must(c.runAsCommand())
 	}
 }
 // lock opens a lockfile at the given location, keeping it locked until the
 // caller invokes the returned release func. When invoked while the file is
 // still locked the function panics.
 func lock(lockfile string) func() error {
 	fileLock := flock.New(lockfile)
 	acquired, err := fileLock.TryLock()
 	if err != nil {
 		panic(err)
 	}
 	if !acquired {
 		panic("unable to acquire file lock")
 	}
 	return fileLock.Unlock
 }
 // copy creates a copy of the file located at `dst` at `src`.
 func copy(src, dst string) error {
 	in, err := os.Open(src)
 	if err != nil {
 		return err
 	}
 	defer in.Close()
 	out, err := os.Create(dst)
 	if err != nil {
 		return err
 	}
 	_, err = io.Copy(out, in)
 	if err != nil {
 		out.Close()
 		return err
 	}
 	return out.Close()
 }
 // join takes a list of errors and joins them into a single error
 func join(errs ...error) error {
 	if len(errs) == 1 {
 		return errs[0]
 	}
 	var msgs []string
 	for _, err := range errs {
 		if err == nil {
 			continue
 		}
 		msgs = append(msgs, err.Error())
 	}
 	return errors.New("[" + strings.Join(msgs, ", ") + "]")
 }
 // buffer takes an io.Writer and returns a wrapped version of the
 // writer that writes to both the original target as well as the returned buffer
 func buffer(w io.Writer) (io.Writer, *bytes.Buffer) {
 	buffering := &bufferingWriter{buf: bytes.Buffer{}, writer: w}
 	return buffering, &buffering.buf
 }
 type bufferingWriter struct {
 	buf    bytes.Buffer
 	writer io.Writer
 }
 func (b *bufferingWriter) Write(p []byte) (n int, err error) {
 	if n, err := b.buf.Write(p); err != nil {
 		return n, fmt.Errorf("bufferingWriter: error writing to buffer: %w", err)
 	}
 	return b.writer.Write(p)
 }
 // hook contains a queued action that can be trigger them when the script
 // reaches a certain point (e.g. unsuccessful backup)
 type hook struct {
 	level  string
 	action func(err error, start time.Time, logOutput string) error
 }
 const (
 	hookLevelFailure = "failure"
 )
--- a/cmd/backup/notifications.go
+++ b/cmd/backup/notifications.go
@@ -0,0 +1,129 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"bytes"
 	_ "embed"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"os"
 	"text/template"
 	"time"
 	sTypes "github.com/containrrr/shoutrrr/pkg/types"
 )
 //go:embed notifications.tmpl
 var defaultNotifications string
 // NotificationData data to be passed to the notification templates
 type NotificationData struct {
 	Error  error
 	Config *Config
 	Stats  *Stats
 }
 // notify sends a notification using the given title and body templates.
 // Automatically creates notification data, adding the given error
 func (s *script) notify(titleTemplate string, bodyTemplate string, err error) error {
 	params := NotificationData{
 		Error:  err,
 		Stats:  s.stats,
 		Config: s.c,
 	}
 	titleBuf := &bytes.Buffer{}
 	if err := s.template.ExecuteTemplate(titleBuf, titleTemplate, params); err != nil {
 		return fmt.Errorf("notify: error executing %s template: %w", titleTemplate, err)
 	}
 	bodyBuf := &bytes.Buffer{}
 	if err := s.template.ExecuteTemplate(bodyBuf, bodyTemplate, params); err != nil {
 		return fmt.Errorf("notify: error executing %s template: %w", bodyTemplate, err)
 	}
 	if err := s.sendNotification(titleBuf.String(), bodyBuf.String()); err != nil {
 		return fmt.Errorf("notify: error notifying: %w", err)
 	}
 	return nil
 }
 // notifyFailure sends a notification about a failed backup run
 func (s *script) notifyFailure(err error) error {
 	return s.notify("title_failure", "body_failure", err)
 }
 // notifyFailure sends a notification about a successful backup run
 func (s *script) notifySuccess() error {
 	return s.notify("title_success", "body_success", nil)
 }
 // sendNotification sends a notification to all configured third party services
 func (s *script) sendNotification(title, body string) error {
 	var errs []error
 	for _, result := range s.sender.Send(body, &sTypes.Params{"title": title}) {
 		if result != nil {
 			errs = append(errs, result)
 		}
 	}
 	if len(errs) != 0 {
 		return fmt.Errorf("sendNotification: error sending message: %w", errors.Join(errs...))
 	}
 	return nil
 }
 var templateHelpers = template.FuncMap{
 	"formatTime": func(t time.Time) string {
 		return t.Format(time.RFC3339)
 	},
 	"formatBytesDec": func(bytes uint64) string {
 		return formatBytes(bytes, true)
 	},
 	"formatBytesBin": func(bytes uint64) string {
 		return formatBytes(bytes, false)
 	},
 	"env":          os.Getenv,
 	"toJson":       toJson,
 	"toPrettyJson": toPrettyJson,
 }
 // formatBytes converts an amount of bytes in a human-readable representation
 // the decimal parameter specifies if using powers of 1000 (decimal) or powers of 1024 (binary)
 func formatBytes(b uint64, decimal bool) string {
 	unit := uint64(1024)
 	format := "%.1f %ciB"
 	if decimal {
 		unit = uint64(1000)
 		format = "%.1f %cB"
 	}
 	if b < unit {
 		return fmt.Sprintf("%d B", b)
 	}
 	div, exp := unit, 0
 	for n := b / unit; n >= unit; n /= unit {
 		div *= unit
 		exp++
 	}
 	return fmt.Sprintf(format, float64(b)/float64(div), "kMGTPE"[exp])
 }
 func toJson(v interface{}) string {
 	var bytes []byte
 	var err error
 	if bytes, err = json.Marshal(v); err != nil {
 		return fmt.Sprintf("failed to marshal JSON in notification template: %v", err)
 	}
 	return string(bytes)
 }
 func toPrettyJson(v interface{}) string {
 	var bytes []byte
 	var err error
 	if bytes, err = json.MarshalIndent(v, "", "  "); err != nil {
 		return fmt.Sprintf("failed to marshal indent JSON in notification template: %v", err)
 	}
 	return string(bytes)
 }
--- a/cmd/backup/notifications.tmpl
+++ b/cmd/backup/notifications.tmpl
@@ -0,0 +1,26 @@
 {{ define "title_failure" -}}
 Failure running docker-volume-backup at {{ .Stats.StartTime | formatTime }}
 {{- end }}
 {{ define "body_failure" -}}
 Running docker-volume-backup failed with error: {{ .Error }}
 Log output of the failed run was:
 {{ .Stats.LogOutput }}
 {{- end }}
 {{ define "title_success" -}}
 Success running docker-volume-backup at {{ .Stats.StartTime | formatTime }}
 {{- end }}
 {{ define "body_success" -}}
 Running docker-volume-backup succeeded.
 Log output was:
 {{ .Stats.LogOutput }}
 {{- end }}
--- a/cmd/backup/script.go
+++ b/cmd/backup/script.go
@@ -0,0 +1,498 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"bytes"
 	"fmt"
 	"io"
 	"io/fs"
 	"log/slog"
 	"os"
 	"path"
 	"path/filepath"
 	"slices"
 	"strings"
 	"text/template"
 	"time"
 	"github.com/offen/docker-volume-backup/internal/storage"
 	"github.com/offen/docker-volume-backup/internal/storage/azure"
 	"github.com/offen/docker-volume-backup/internal/storage/dropbox"
 	"github.com/offen/docker-volume-backup/internal/storage/local"
 	"github.com/offen/docker-volume-backup/internal/storage/s3"
 	"github.com/offen/docker-volume-backup/internal/storage/ssh"
 	"github.com/offen/docker-volume-backup/internal/storage/webdav"
 	openpgp "github.com/ProtonMail/go-crypto/openpgp/v2"
 	"github.com/containrrr/shoutrrr"
 	"github.com/containrrr/shoutrrr/pkg/router"
 	"github.com/docker/docker/client"
 	"github.com/leekchan/timeutil"
 	"github.com/otiai10/copy"
 	"golang.org/x/sync/errgroup"
 )
 // script holds all the stateful information required to orchestrate a
 // single backup run.
 type script struct {
 	cli       *client.Client
 	storages  []storage.Backend
 	logger    *slog.Logger
 	sender    *router.ServiceRouter
 	template  *template.Template
 	hooks     []hook
 	hookLevel hookLevel
 	file  string
 	stats *Stats
 	encounteredLock bool
 	c *Config
 }
 // newScript creates all resources needed for the script to perform actions against
 // remote resources like the Docker engine or remote storage locations. All
 // reading from env vars or other configuration sources is expected to happen
 // in this method.
 func newScript(c *Config) (*script, error) {
 	stdOut, logBuffer := buffer(os.Stdout)
 	s := &script{
 		c:      c,
 		logger: slog.New(slog.NewTextHandler(stdOut, nil)),
 		stats: &Stats{
 			StartTime: time.Now(),
 			LogOutput: logBuffer,
 			Storages: map[string]StorageStats{
 				"S3":      {},
 				"WebDAV":  {},
 				"SSH":     {},
 				"Local":   {},
 				"Azure":   {},
 				"Dropbox": {},
 			},
 		},
 	}
 	s.registerHook(hookLevelPlumbing, func(error) error {
 		s.stats.EndTime = time.Now()
 		s.stats.TookTime = s.stats.EndTime.Sub(s.stats.StartTime)
 		return nil
 	})
 	s.file = path.Join("/tmp", s.c.BackupFilename)
 	tmplFileName, tErr := template.New("extension").Parse(s.file)
 	if tErr != nil {
 		return nil, fmt.Errorf("newScript: unable to parse backup file extension template: %w", tErr)
 	}
 	var bf bytes.Buffer
 	if tErr := tmplFileName.Execute(&bf, map[string]string{
 		"Extension": fmt.Sprintf("tar.%s", s.c.BackupCompression),
 	}); tErr != nil {
 		return nil, fmt.Errorf("newScript: error executing backup file extension template: %w", tErr)
 	}
 	s.file = bf.String()
 	if s.c.BackupFilenameExpand {
 		s.file = os.ExpandEnv(s.file)
 		s.c.BackupLatestSymlink = os.ExpandEnv(s.c.BackupLatestSymlink)
 		s.c.BackupPruningPrefix = os.ExpandEnv(s.c.BackupPruningPrefix)
 	}
 	s.file = timeutil.Strftime(&s.stats.StartTime, s.file)
 	_, err := os.Stat("/var/run/docker.sock")
 	_, dockerHostSet := os.LookupEnv("DOCKER_HOST")
 	if !os.IsNotExist(err) || dockerHostSet {
 		cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
 		if err != nil {
 			return nil, fmt.Errorf("newScript: failed to create docker client")
 		}
 		s.cli = cli
 		s.registerHook(hookLevelPlumbing, func(err error) error {
 			if err := s.cli.Close(); err != nil {
 				return fmt.Errorf("newScript: failed to close docker client: %w", err)
 			}
 			return nil
 		})
 	}
 	logFunc := func(logType storage.LogLevel, context string, msg string, params ...any) {
 		switch logType {
 		case storage.LogLevelWarning:
 			s.logger.Warn(fmt.Sprintf(msg, params...), "storage", context)
 		case storage.LogLevelError:
 			s.logger.Error(fmt.Sprintf(msg, params...), "storage", context)
 		default:
 			s.logger.Info(fmt.Sprintf(msg, params...), "storage", context)
 		}
 	}
 	if s.c.AwsS3BucketName != "" {
 		s3Config := s3.Config{
 			Endpoint:         s.c.AwsEndpoint,
 			AccessKeyID:      s.c.AwsAccessKeyID,
 			SecretAccessKey:  s.c.AwsSecretAccessKey,
 			IamRoleEndpoint:  s.c.AwsIamRoleEndpoint,
 			EndpointProto:    s.c.AwsEndpointProto,
 			EndpointInsecure: s.c.AwsEndpointInsecure,
 			RemotePath:       s.c.AwsS3Path,
 			BucketName:       s.c.AwsS3BucketName,
 			StorageClass:     s.c.AwsStorageClass,
 			CACert:           s.c.AwsEndpointCACert.Cert,
 			PartSize:         s.c.AwsPartSize,
 		}
 		s3Backend, err := s3.NewStorageBackend(s3Config, logFunc)
 		if err != nil {
 			return nil, fmt.Errorf("newScript: error creating s3 storage backend: %w", err)
 		}
 		s.storages = append(s.storages, s3Backend)
 	}
 	if s.c.WebdavUrl != "" {
 		webDavConfig := webdav.Config{
 			URL:         s.c.WebdavUrl,
 			URLInsecure: s.c.WebdavUrlInsecure,
 			Username:    s.c.WebdavUsername,
 			Password:    s.c.WebdavPassword,
 			RemotePath:  s.c.WebdavPath,
 		}
 		webdavBackend, err := webdav.NewStorageBackend(webDavConfig, logFunc)
 		if err != nil {
 			return nil, fmt.Errorf("newScript: error creating webdav storage backend: %w", err)
 		}
 		s.storages = append(s.storages, webdavBackend)
 	}
 	if s.c.SSHHostName != "" {
 		sshConfig := ssh.Config{
 			HostName:           s.c.SSHHostName,
 			Port:               s.c.SSHPort,
 			User:               s.c.SSHUser,
 			Password:           s.c.SSHPassword,
 			IdentityFile:       s.c.SSHIdentityFile,
 			IdentityPassphrase: s.c.SSHIdentityPassphrase,
 			RemotePath:         s.c.SSHRemotePath,
 		}
 		sshBackend, err := ssh.NewStorageBackend(sshConfig, logFunc)
 		if err != nil {
 			return nil, fmt.Errorf("newScript: error creating ssh storage backend: %w", err)
 		}
 		s.storages = append(s.storages, sshBackend)
 	}
 	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
 		localConfig := local.Config{
 			ArchivePath:   s.c.BackupArchive,
 			LatestSymlink: s.c.BackupLatestSymlink,
 		}
 		localBackend := local.NewStorageBackend(localConfig, logFunc)
 		s.storages = append(s.storages, localBackend)
 	}
 	if s.c.AzureStorageAccountName != "" {
 		azureConfig := azure.Config{
 			ContainerName:     s.c.AzureStorageContainerName,
 			AccountName:       s.c.AzureStorageAccountName,
 			PrimaryAccountKey: s.c.AzureStoragePrimaryAccountKey,
 			Endpoint:          s.c.AzureStorageEndpoint,
 			RemotePath:        s.c.AzureStoragePath,
 		}
 		azureBackend, err := azure.NewStorageBackend(azureConfig, logFunc)
 		if err != nil {
 			return nil, fmt.Errorf("newScript: error creating azure storage backend: %w", err)
 		}
 		s.storages = append(s.storages, azureBackend)
 	}
 	if s.c.DropboxRefreshToken != "" && s.c.DropboxAppKey != "" && s.c.DropboxAppSecret != "" {
 		dropboxConfig := dropbox.Config{
 			Endpoint:         s.c.DropboxEndpoint,
 			OAuth2Endpoint:   s.c.DropboxOAuth2Endpoint,
 			RefreshToken:     s.c.DropboxRefreshToken,
 			AppKey:           s.c.DropboxAppKey,
 			AppSecret:        s.c.DropboxAppSecret,
 			RemotePath:       s.c.DropboxRemotePath,
 			ConcurrencyLevel: s.c.DropboxConcurrencyLevel.Int(),
 		}
 		dropboxBackend, err := dropbox.NewStorageBackend(dropboxConfig, logFunc)
 		if err != nil {
 			return nil, fmt.Errorf("newScript: error creating dropbox storage backend: %w", err)
 		}
 		s.storages = append(s.storages, dropboxBackend)
 	}
 	if s.c.EmailNotificationRecipient != "" {
 		emailURL := fmt.Sprintf(
 			"smtp://%s:%s@%s:%d/?from=%s&to=%s",
 			s.c.EmailSMTPUsername,
 			s.c.EmailSMTPPassword,
 			s.c.EmailSMTPHost,
 			s.c.EmailSMTPPort,
 			s.c.EmailNotificationSender,
 			s.c.EmailNotificationRecipient,
 		)
 		s.c.NotificationURLs = append(s.c.NotificationURLs, emailURL)
 		s.logger.Warn(
 			"Using EMAIL_* keys for providing notification configuration has been deprecated and will be removed in the next major version.",
 		)
 		s.logger.Warn(
 			"Please use NOTIFICATION_URLS instead. Refer to the README for an upgrade guide.",
 		)
 	}
 	hookLevel, ok := hookLevels[s.c.NotificationLevel]
 	if !ok {
 		return nil, fmt.Errorf("newScript: unknown NOTIFICATION_LEVEL %s", s.c.NotificationLevel)
 	}
 	s.hookLevel = hookLevel
 	if len(s.c.NotificationURLs) > 0 {
 		sender, senderErr := shoutrrr.CreateSender(s.c.NotificationURLs...)
 		if senderErr != nil {
 			return nil, fmt.Errorf("newScript: error creating sender: %w", senderErr)
 		}
 		s.sender = sender
 		tmpl := template.New("")
 		tmpl.Funcs(templateHelpers)
 		tmpl, err = tmpl.Parse(defaultNotifications)
 		if err != nil {
 			return nil, fmt.Errorf("newScript: unable to parse default notifications templates: %w", err)
 		}
 		if fi, err := os.Stat("/etc/dockervolumebackup/notifications.d"); err == nil && fi.IsDir() {
 			tmpl, err = tmpl.ParseGlob("/etc/dockervolumebackup/notifications.d/*.*")
 			if err != nil {
 				return nil, fmt.Errorf("newScript: unable to parse user defined notifications templates: %w", err)
 			}
 		}
 		s.template = tmpl
 		// To prevent duplicate notifications, ensure the regsistered callbacks
 		// run mutually exclusive.
 		s.registerHook(hookLevelError, func(err error) error {
 			if err == nil {
 				return nil
 			}
 			return s.notifyFailure(err)
 		})
 		s.registerHook(hookLevelInfo, func(err error) error {
 			if err != nil {
 				return nil
 			}
 			return s.notifySuccess()
 		})
 	}
 	return s, nil
 }
 // createArchive creates a tar archive of the configured backup location and
 // saves it to disk.
 func (s *script) createArchive() error {
 	backupSources := s.c.BackupSources
 	if s.c.BackupFromSnapshot {
 		s.logger.Warn(
 			"Using BACKUP_FROM_SNAPSHOT has been deprecated and will be removed in the next major version.",
 		)
 		s.logger.Warn(
 			"Please use `archive-pre` and `archive-post` commands to prepare your backup sources. Refer to the documentation for an upgrade guide.",
 		)
 		backupSources = filepath.Join("/tmp", s.c.BackupSources)
 		// copy before compressing guard against a situation where backup folder's content are still growing.
 		s.registerHook(hookLevelPlumbing, func(error) error {
 			if err := remove(backupSources); err != nil {
 				return fmt.Errorf("createArchive: error removing snapshot: %w", err)
 			}
 			s.logger.Info(
 				fmt.Sprintf("Removed snapshot `%s`.", backupSources),
 			)
 			return nil
 		})
 		if err := copy.Copy(s.c.BackupSources, backupSources, copy.Options{
 			PreserveTimes: true,
 			PreserveOwner: true,
 		}); err != nil {
 			return fmt.Errorf("createArchive: error creating snapshot: %w", err)
 		}
 		s.logger.Info(
 			fmt.Sprintf("Created snapshot of `%s` at `%s`.", s.c.BackupSources, backupSources),
 		)
 	}
 	tarFile := s.file
 	s.registerHook(hookLevelPlumbing, func(error) error {
 		if err := remove(tarFile); err != nil {
 			return fmt.Errorf("createArchive: error removing tar file: %w", err)
 		}
 		s.logger.Info(
 			fmt.Sprintf("Removed tar file `%s`.", tarFile),
 		)
 		return nil
 	})
 	backupPath, err := filepath.Abs(stripTrailingSlashes(backupSources))
 	if err != nil {
 		return fmt.Errorf("createArchive: error getting absolute path: %w", err)
 	}
 	var filesEligibleForBackup []string
 	if err := filepath.WalkDir(backupPath, func(path string, di fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
 		if s.c.BackupExcludeRegexp.Re != nil && s.c.BackupExcludeRegexp.Re.MatchString(path) {
 			return nil
 		}
 		filesEligibleForBackup = append(filesEligibleForBackup, path)
 		return nil
 	}); err != nil {
 		return fmt.Errorf("createArchive: error walking filesystem tree: %w", err)
 	}
 	if err := createArchive(filesEligibleForBackup, backupSources, tarFile, s.c.BackupCompression.String(), s.c.GzipParallelism.Int()); err != nil {
 		return fmt.Errorf("createArchive: error compressing backup folder: %w", err)
 	}
 	s.logger.Info(
 		fmt.Sprintf("Created backup of `%s` at `%s`.", backupSources, tarFile),
 	)
 	return nil
 }
 // encryptArchive encrypts the backup file using PGP and the configured passphrase.
 // In case no passphrase is given it returns early, leaving the backup file
 // untouched.
 func (s *script) encryptArchive() error {
 	if s.c.GpgPassphrase == "" {
 		return nil
 	}
 	gpgFile := fmt.Sprintf("%s.gpg", s.file)
 	s.registerHook(hookLevelPlumbing, func(error) error {
 		if err := remove(gpgFile); err != nil {
 			return fmt.Errorf("encryptArchive: error removing gpg file: %w", err)
 		}
 		s.logger.Info(
 			fmt.Sprintf("Removed GPG file `%s`.", gpgFile),
 		)
 		return nil
 	})
 	outFile, err := os.Create(gpgFile)
 	if err != nil {
 		return fmt.Errorf("encryptArchive: error opening out file: %w", err)
 	}
 	defer outFile.Close()
 	_, name := path.Split(s.file)
 	dst, err := openpgp.SymmetricallyEncrypt(outFile, []byte(s.c.GpgPassphrase), &openpgp.FileHints{
 		FileName: name,
 	}, nil)
 	if err != nil {
 		return fmt.Errorf("encryptArchive: error encrypting backup file: %w", err)
 	}
 	defer dst.Close()
 	src, err := os.Open(s.file)
 	if err != nil {
 		return fmt.Errorf("encryptArchive: error opening backup file `%s`: %w", s.file, err)
 	}
 	if _, err := io.Copy(dst, src); err != nil {
 		return fmt.Errorf("encryptArchive: error writing ciphertext to file: %w", err)
 	}
 	s.file = gpgFile
 	s.logger.Info(
 		fmt.Sprintf("Encrypted backup using given passphrase, saving as `%s`.", s.file),
 	)
 	return nil
 }
 // copyArchive makes sure the backup file is copied to both local and remote locations
 // as per the given configuration.
 func (s *script) copyArchive() error {
 	_, name := path.Split(s.file)
 	if stat, err := os.Stat(s.file); err != nil {
 		return fmt.Errorf("copyArchive: unable to stat backup file: %w", err)
 	} else {
 		size := stat.Size()
 		s.stats.BackupFile = BackupFileStats{
 			Size:     uint64(size),
 			Name:     name,
 			FullPath: s.file,
 		}
 	}
 	eg := errgroup.Group{}
 	for _, backend := range s.storages {
 		b := backend
 		eg.Go(func() error {
 			return b.Copy(s.file)
 		})
 	}
 	if err := eg.Wait(); err != nil {
 		return fmt.Errorf("copyArchive: error copying archive: %w", err)
 	}
 	return nil
 }
 // pruneBackups rotates away backups from local and remote storages using
 // the given configuration. In case the given configuration would delete all
 // backups, it does nothing instead and logs a warning.
 func (s *script) pruneBackups() error {
 	if s.c.BackupRetentionDays < 0 {
 		return nil
 	}
 	deadline := time.Now().AddDate(0, 0, -int(s.c.BackupRetentionDays)).Add(s.c.BackupPruningLeeway)
 	eg := errgroup.Group{}
 	for _, backend := range s.storages {
 		b := backend
 		eg.Go(func() error {
 			if skipPrune(b.Name(), s.c.BackupSkipBackendsFromPrune) {
 				s.logger.Info(
 					fmt.Sprintf("Skipping pruning for backend `%s`.", b.Name()),
 				)
 				return nil
 			}
 			stats, err := b.Prune(deadline, s.c.BackupPruningPrefix)
 			if err != nil {
 				return err
 			}
 			s.stats.Lock()
 			s.stats.Storages[b.Name()] = StorageStats{
 				Total:  stats.Total,
 				Pruned: stats.Pruned,
 			}
 			s.stats.Unlock()
 			return nil
 		})
 	}
 	if err := eg.Wait(); err != nil {
 		return fmt.Errorf("pruneBackups: error pruning backups: %w", err)
 	}
 	return nil
 }
 // skipPrune returns true if the given backend name is contained in the
 // list of skipped backends.
 func skipPrune(name string, skippedBackends []string) bool {
 	return slices.ContainsFunc(
 		skippedBackends,
 		func(b string) bool {
 			return strings.EqualFold(b, name) // ignore case on both sides
 		},
 	)
 }
--- a/cmd/backup/stats.go
+++ b/cmd/backup/stats.go
@@ -0,0 +1,55 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"bytes"
 	"sync"
 	"time"
 )
 // ContainersStats stats about the docker containers
 type ContainersStats struct {
 	All        uint
 	ToStop     uint
 	Stopped    uint
 	StopErrors uint
 }
 // ServicesStats contains info about Swarm services that have been
 // operated upon
 type ServicesStats struct {
 	All             uint
 	ToScaleDown     uint
 	ScaledDown      uint
 	ScaleDownErrors uint
 }
 // BackupFileStats stats about the created backup file
 type BackupFileStats struct {
 	Name     string
 	FullPath string
 	Size     uint64
 }
 // StorageStats stats about the status of an archival directory
 type StorageStats struct {
 	Total       uint
 	Pruned      uint
 	PruneErrors uint
 }
 // Stats global stats regarding script execution
 type Stats struct {
 	sync.Mutex
 	StartTime  time.Time
 	EndTime    time.Time
 	TookTime   time.Duration
 	LockedTime time.Duration
 	LogOutput  *bytes.Buffer
 	Containers ContainersStats
 	Services   ServicesStats
 	BackupFile BackupFileStats
 	Storages   map[string]StorageStats
 }
--- a/cmd/backup/stop_restart.go
+++ b/cmd/backup/stop_restart.go
@@ -0,0 +1,338 @@
 package main
 import (
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"sync"
 	"time"
 	"github.com/docker/cli/cli/command/service/progress"
 	"github.com/docker/docker/api/types"
 	ctr "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/client"
 )
 func scaleService(cli *client.Client, serviceID string, replicas uint64) ([]string, error) {
 	service, _, err := cli.ServiceInspectWithRaw(context.Background(), serviceID, types.ServiceInspectOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("scaleService: error inspecting service %s: %w", serviceID, err)
 	}
 	serviceMode := &service.Spec.Mode
 	switch {
 	case serviceMode.Replicated != nil:
 		serviceMode.Replicated.Replicas = &replicas
 	default:
 		return nil, fmt.Errorf("scaleService: service to be scaled %s has to be in replicated mode", service.Spec.Name)
 	}
 	response, err := cli.ServiceUpdate(context.Background(), service.ID, service.Version, service.Spec, types.ServiceUpdateOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("scaleService: error updating service: %w", err)
 	}
 	discardWriter := &noopWriteCloser{io.Discard}
 	if err := progress.ServiceProgress(context.Background(), cli, service.ID, discardWriter); err != nil {
 		return nil, err
 	}
 	return response.Warnings, nil
 }
 func awaitContainerCountForService(cli *client.Client, serviceID string, count int, timeoutAfter time.Duration) error {
 	poll := time.NewTicker(time.Second)
 	timeout := time.NewTimer(timeoutAfter)
 	defer timeout.Stop()
 	defer poll.Stop()
 	for {
 		select {
 		case <-timeout.C:
 			return fmt.Errorf(
 				"awaitContainerCount: timed out after waiting %s for service %s to reach desired container count of %d",
 				timeoutAfter,
 				serviceID,
 				count,
 			)
 		case <-poll.C:
 			containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{
 				Filters: filters.NewArgs(filters.KeyValuePair{
 					Key:   "label",
 					Value: fmt.Sprintf("com.docker.swarm.service.id=%s", serviceID),
 				}),
 			})
 			if err != nil {
 				return fmt.Errorf("awaitContainerCount: error listing containers: %w", err)
 			}
 			if len(containers) == count {
 				return nil
 			}
 		}
 	}
 }
 // stopContainersAndServices stops all Docker containers that are marked as to being
 // stopped during the backup and returns a function that can be called to
 // restart everything that has been stopped.
 func (s *script) stopContainersAndServices() (func() error, error) {
 	if s.cli == nil {
 		return noop, nil
 	}
 	dockerInfo, err := s.cli.Info(context.Background())
 	if err != nil {
 		return noop, fmt.Errorf("(*script).stopContainersAndServices: error getting docker info: %w", err)
 	}
 	isDockerSwarm := dockerInfo.Swarm.LocalNodeState != "inactive"
 	labelValue := s.c.BackupStopDuringBackupLabel
 	if s.c.BackupStopContainerLabel != "" {
 		s.logger.Warn(
 			"Using BACKUP_STOP_CONTAINER_LABEL has been deprecated and will be removed in the next major version.",
 		)
 		s.logger.Warn(
 			"Please use BACKUP_STOP_DURING_BACKUP_LABEL instead. Refer to the docs for an upgrade guide.",
 		)
 		if _, ok := os.LookupEnv("BACKUP_STOP_DURING_BACKUP_LABEL"); ok {
 			return noop, errors.New("(*script).stopContainersAndServices: both BACKUP_STOP_DURING_BACKUP_LABEL and BACKUP_STOP_CONTAINER_LABEL have been set, cannot continue")
 		}
 		labelValue = s.c.BackupStopContainerLabel
 	}
 	filterMatchLabel := fmt.Sprintf(
 		"docker-volume-backup.stop-during-backup=%s",
 		labelValue,
 	)
 	allContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{})
 	if err != nil {
 		return noop, fmt.Errorf("(*script).stopContainersAndServices: error querying for containers: %w", err)
 	}
 	containersToStop, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
 		Filters: filters.NewArgs(filters.KeyValuePair{
 			Key:   "label",
 			Value: filterMatchLabel,
 		}),
 	})
 	if err != nil {
 		return noop, fmt.Errorf("(*script).stopContainersAndServices: error querying for containers to stop: %w", err)
 	}
 	var allServices []swarm.Service
 	var servicesToScaleDown []handledSwarmService
 	if isDockerSwarm {
 		allServices, err = s.cli.ServiceList(context.Background(), types.ServiceListOptions{})
 		if err != nil {
 			return noop, fmt.Errorf("(*script).stopContainersAndServices: error querying for services: %w", err)
 		}
 		matchingServices, err := s.cli.ServiceList(context.Background(), types.ServiceListOptions{
 			Filters: filters.NewArgs(filters.KeyValuePair{
 				Key:   "label",
 				Value: filterMatchLabel,
 			}),
 			Status: true,
 		})
 		for _, s := range matchingServices {
 			servicesToScaleDown = append(servicesToScaleDown, handledSwarmService{
 				serviceID:           s.ID,
 				initialReplicaCount: *s.Spec.Mode.Replicated.Replicas,
 			})
 		}
 		if err != nil {
 			return noop, fmt.Errorf("(*script).stopContainersAndServices: error querying for services to scale down: %w", err)
 		}
 	}
 	if len(containersToStop) == 0 && len(servicesToScaleDown) == 0 {
 		return noop, nil
 	}
 	if isDockerSwarm {
 		for _, container := range containersToStop {
 			if swarmServiceID, ok := container.Labels["com.docker.swarm.service.id"]; ok {
 				parentService, _, err := s.cli.ServiceInspectWithRaw(context.Background(), swarmServiceID, types.ServiceInspectOptions{})
 				if err != nil {
 					return noop, fmt.Errorf("(*script).stopContainersAndServices: error querying for parent service with ID %s: %w", swarmServiceID, err)
 				}
 				for label := range parentService.Spec.Labels {
 					if label == "docker-volume-backup.stop-during-backup" {
 						return noop, fmt.Errorf(
 							"(*script).stopContainersAndServices: container %s is labeled to stop but has parent service %s which is also labeled, cannot continue",
 							container.Names[0],
 							parentService.Spec.Name,
 						)
 					}
 				}
 			}
 		}
 	}
 	s.logger.Info(
 		fmt.Sprintf(
 			"Stopping %d out of %d running container(s) as they were labeled %s.",
 			len(containersToStop),
 			len(allContainers),
 			filterMatchLabel,
 		),
 	)
 	if isDockerSwarm {
 		s.logger.Info(
 			fmt.Sprintf(
 				"Scaling down %d out of %d active service(s) as they were labeled %s.",
 				len(servicesToScaleDown),
 				len(allServices),
 				filterMatchLabel,
 			),
 		)
 	}
 	var stoppedContainers []types.Container
 	var stopErrors []error
 	for _, container := range containersToStop {
 		if err := s.cli.ContainerStop(context.Background(), container.ID, ctr.StopOptions{}); err != nil {
 			stopErrors = append(stopErrors, err)
 		} else {
 			stoppedContainers = append(stoppedContainers, container)
 		}
 	}
 	var scaledDownServices []handledSwarmService
 	var scaleDownErrors concurrentSlice[error]
 	if isDockerSwarm {
 		wg := sync.WaitGroup{}
 		for _, svc := range servicesToScaleDown {
 			wg.Add(1)
 			go func(svc handledSwarmService) {
 				defer wg.Done()
 				warnings, err := scaleService(s.cli, svc.serviceID, 0)
 				if err != nil {
 					scaleDownErrors.append(err)
 					return
 				}
 				scaledDownServices = append(scaledDownServices, svc)
 				for _, warning := range warnings {
 					s.logger.Warn(
 						fmt.Sprintf("The Docker API returned a warning when scaling down service %s: %s", svc.serviceID, warning),
 					)
 				}
 				// progress.ServiceProgress returns too early, so we need to manually check
 				// whether all containers belonging to the service have actually been removed
 				if err := awaitContainerCountForService(s.cli, svc.serviceID, 0, s.c.BackupStopServiceTimeout); err != nil {
 					scaleDownErrors.append(err)
 				}
 			}(svc)
 		}
 		wg.Wait()
 	}
 	s.stats.Containers = ContainersStats{
 		All:        uint(len(allContainers)),
 		ToStop:     uint(len(containersToStop)),
 		Stopped:    uint(len(stoppedContainers)),
 		StopErrors: uint(len(stopErrors)),
 	}
 	s.stats.Services = ServicesStats{
 		All:             uint(len(allServices)),
 		ToScaleDown:     uint(len(servicesToScaleDown)),
 		ScaledDown:      uint(len(scaledDownServices)),
 		ScaleDownErrors: uint(len(scaleDownErrors.value())),
 	}
 	var initialErr error
 	allErrors := append(stopErrors, scaleDownErrors.value()...)
 	if len(allErrors) != 0 {
 		initialErr = fmt.Errorf(
 			"(*script).stopContainersAndServices: %d error(s) stopping containers: %w",
 			len(allErrors),
 			errors.Join(allErrors...),
 		)
 	}
 	return func() error {
 		var restartErrors []error
 		matchedServices := map[string]bool{}
 		for _, container := range stoppedContainers {
 			if swarmServiceID, ok := container.Labels["com.docker.swarm.service.id"]; ok && isDockerSwarm {
 				if _, ok := matchedServices[swarmServiceID]; ok {
 					continue
 				}
 				matchedServices[swarmServiceID] = true
 				// in case a container was part of a swarm service, the service requires to
 				// be force updated instead of restarting the container as it would otherwise
 				// remain in a "completed" state
 				service, _, err := s.cli.ServiceInspectWithRaw(context.Background(), swarmServiceID, types.ServiceInspectOptions{})
 				if err != nil {
 					restartErrors = append(
 						restartErrors,
 						fmt.Errorf("(*script).stopContainersAndServices: error looking up parent service: %w", err),
 					)
 					continue
 				}
 				service.Spec.TaskTemplate.ForceUpdate += 1
 				if _, err := s.cli.ServiceUpdate(
 					context.Background(), service.ID,
 					service.Version, service.Spec, types.ServiceUpdateOptions{},
 				); err != nil {
 					restartErrors = append(restartErrors, err)
 				}
 				continue
 			}
 			if err := s.cli.ContainerStart(context.Background(), container.ID, types.ContainerStartOptions{}); err != nil {
 				restartErrors = append(restartErrors, err)
 			}
 		}
 		var scaleUpErrors concurrentSlice[error]
 		if isDockerSwarm {
 			wg := &sync.WaitGroup{}
 			for _, svc := range servicesToScaleDown {
 				wg.Add(1)
 				go func(svc handledSwarmService) {
 					defer wg.Done()
 					warnings, err := scaleService(s.cli, svc.serviceID, svc.initialReplicaCount)
 					if err != nil {
 						scaleDownErrors.append(err)
 						return
 					}
 					for _, warning := range warnings {
 						s.logger.Warn(
 							fmt.Sprintf("The Docker API returned a warning when scaling up service %s: %s", svc.serviceID, warning),
 						)
 					}
 				}(svc)
 			}
 			wg.Wait()
 		}
 		allErrors := append(restartErrors, scaleUpErrors.value()...)
 		if len(allErrors) != 0 {
 			return fmt.Errorf(
 				"(*script).stopContainersAndServices: %d error(s) restarting containers and services: %w",
 				len(allErrors),
 				errors.Join(allErrors...),
 			)
 		}
 		s.logger.Info(
 			fmt.Sprintf(
 				"Restarted %d container(s).",
 				len(stoppedContainers),
 			),
 		)
 		if isDockerSwarm {
 			s.logger.Info(
 				fmt.Sprintf(
 					"Scaled %d service(s) back up.",
 					len(scaledDownServices),
 				),
 			)
 		}
 		return nil
 	}, initialErr
 }
--- a/cmd/backup/util.go
+++ b/cmd/backup/util.go
@@ -0,0 +1,81 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"bytes"
 	"fmt"
 	"io"
 	"os"
 	"sync"
 )
 var noop = func() error { return nil }
 // remove removes the given file or directory from disk.
 func remove(location string) error {
 	fi, err := os.Lstat(location)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil
 		}
 		return fmt.Errorf("remove: error checking for existence of `%s`: %w", location, err)
 	}
 	if fi.IsDir() {
 		err = os.RemoveAll(location)
 	} else {
 		err = os.Remove(location)
 	}
 	if err != nil {
 		return fmt.Errorf("remove: error removing `%s`: %w", location, err)
 	}
 	return nil
 }
 // buffer takes an io.Writer and returns a wrapped version of the
 // writer that writes to both the original target as well as the returned buffer
 func buffer(w io.Writer) (io.Writer, *bytes.Buffer) {
 	buffering := &bufferingWriter{buf: bytes.Buffer{}, writer: w}
 	return buffering, &buffering.buf
 }
 type bufferingWriter struct {
 	buf    bytes.Buffer
 	writer io.Writer
 }
 func (b *bufferingWriter) Write(p []byte) (n int, err error) {
 	if n, err := b.buf.Write(p); err != nil {
 		return n, fmt.Errorf("(*bufferingWriter).Write: error writing to buffer: %w", err)
 	}
 	return b.writer.Write(p)
 }
 type noopWriteCloser struct {
 	io.Writer
 }
 func (noopWriteCloser) Close() error {
 	return nil
 }
 type handledSwarmService struct {
 	serviceID           string
 	initialReplicaCount uint64
 }
 type concurrentSlice[T any] struct {
 	val []T
 	sync.Mutex
 }
 func (c *concurrentSlice[T]) append(v T) {
 	c.Lock()
 	defer c.Unlock()
 	c.val = append(c.val, v)
 }
 func (c *concurrentSlice[T]) value() []T {
 	return c.val
 }
--- a/docs/.gitignore
+++ b/docs/.gitignore
@@ -0,0 +1,2 @@
 _site
 .jekyll-cache
--- a/docs/Gemfile
+++ b/docs/Gemfile
@@ -0,0 +1,4 @@
 source 'https://rubygems.org'
 gem "jekyll", "~> 4.3.2"
 gem "just-the-docs", "0.6.1"
--- a/docs/Gemfile.lock
+++ b/docs/Gemfile.lock
@@ -0,0 +1,80 @@
 GEM
  remote: https://rubygems.org/
  specs:
    addressable (2.8.5)
      public_suffix (>= 2.0.2, < 6.0)
    colorator (1.1.0)
    concurrent-ruby (1.2.2)
    em-websocket (0.5.3)
      eventmachine (>= 0.12.9)
      http_parser.rb (~> 0)
    eventmachine (1.2.7)
    ffi (1.15.5)
    forwardable-extended (2.6.0)
    http_parser.rb (0.8.0)
    i18n (1.14.1)
      concurrent-ruby (~> 1.0)
    jekyll (4.3.2)
      addressable (~> 2.4)
      colorator (~> 1.0)
      em-websocket (~> 0.5)
      i18n (~> 1.0)
      jekyll-sass-converter (>= 2.0, < 4.0)
      jekyll-watch (~> 2.0)
      kramdown (~> 2.3, >= 2.3.1)
      kramdown-parser-gfm (~> 1.0)
      liquid (~> 4.0)
      mercenary (>= 0.3.6, < 0.5)
      pathutil (~> 0.9)
      rouge (>= 3.0, < 5.0)
      safe_yaml (~> 1.0)
      terminal-table (>= 1.8, < 4.0)
      webrick (~> 1.7)
    jekyll-include-cache (0.2.1)
      jekyll (>= 3.7, < 5.0)
    jekyll-sass-converter (2.2.0)
      sassc (> 2.0.1, < 3.0)
    jekyll-seo-tag (2.8.0)
      jekyll (>= 3.8, < 5.0)
    jekyll-watch (2.2.1)
      listen (~> 3.0)
    just-the-docs (0.6.1)
      jekyll (>= 3.8.5)
      jekyll-include-cache
      jekyll-seo-tag (>= 2.0)
      rake (>= 12.3.1)
    kramdown (2.4.0)
      rexml
    kramdown-parser-gfm (1.1.0)
      kramdown (~> 2.0)
    liquid (4.0.4)
    listen (3.8.0)
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
    mercenary (0.4.0)
    pathutil (0.16.2)
      forwardable-extended (~> 2.6)
    public_suffix (4.0.7)
    rake (13.0.6)
    rb-fsevent (0.11.2)
    rb-inotify (0.10.1)
      ffi (~> 1.0)
    rexml (3.2.6)
    rouge (3.30.0)
    safe_yaml (1.0.5)
    sassc (2.4.0)
      ffi (~> 1.9)
    terminal-table (3.0.2)
      unicode-display_width (>= 1.1.1, < 3)
    unicode-display_width (2.4.2)
    webrick (1.8.1)
 PLATFORMS
  ruby
 DEPENDENCIES
  jekyll (~> 4.3.2)
  just-the-docs (= 0.6.1)
 BUNDLED WITH
   2.1.4
--- a/docs/README.md
+++ b/docs/README.md
@@ -0,0 +1,14 @@
 # Documentation site
 This directory contains the sources for the documentation site published at <https://offen.github.io/docker-volume-backup>.
 Assuming you have Ruby and [`bundler`][bundler] installed, you can run the site locally using the following commands:
 ```
 bundle install
 bundle exec jekyll serve
 ```
 Note that changes in `_config.yml` require a manual restart to take effect.
 [bundler]: https://bundler.io/
--- a/docs/_config.yml
+++ b/docs/_config.yml
@@ -0,0 +1,35 @@
 title: docker-volume-backup
 description: Documentation for the offen/docker-volume-backup Docker image.
 theme: just-the-docs
 url: https://offen.github.io/docker-volume-backup/
 callouts_level: quiet
 callouts:
  highlight:
    color: yellow
  important:
    title: Important
    color: blue
  new:
    title: New
    color: green
  note:
    title: Note
    color: purple
  warning:
    title: Warning
    color: red
 aux_links:
  'GitHub Repository':
    - https://github.com/offen/docker-volume-backup
 nav_external_links:
  - title: GitHub Repository
    url: https://github.com/offen/docker-volume-backup
 footer_content: >-
  Copyright &copy; 2021 Offen Authors and contributors.
  Distributed under the <a href="https://github.com/offen/docker-volume-backup/tree/main/LICENSE">MPL-2.0 License.</a><br>
  Something missing, unclear or not working? Open <a href="https://github.com/offen/docker-volume-backup/issues">an issue</a>.
--- a/docs/_sass/custom/custom.scss
+++ b/docs/_sass/custom/custom.scss
@@ -0,0 +1,7 @@
 .site-title {
  font-size: unset !important;
 }
 .main-content pre {
  font-size: 1.1em;
 }
--- a/docs/how-tos/automatically-prune-old-backups.md
+++ b/docs/how-tos/automatically-prune-old-backups.md
@@ -0,0 +1,34 @@
 ---
 title: Automatically prune old backups
 layout: default
 parent: How Tos
 nav_order: 3
 ---
 # Automatically prune old backups
 When `BACKUP_RETENTION_DAYS` is configured, the command will check if there are any archives in the remote storage backend(s) or local archive that are older than the given retention value and rotate these backups away.
 {: .note }
 Be aware that this mechanism looks at __all files in the target bucket or archive__, which means that other files that are older than the given deadline are deleted as well.
 In case you need to use a target that cannot be used exclusively for your backups, you can configure `BACKUP_PRUNING_PREFIX` to limit which files are considered eligible for deletion:
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
      BACKUP_PRUNING_PREFIX: backup-
      BACKUP_RETENTION_DAYS: '7'
    volumes:
      - ${HOME}/backups:/archive
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
--- a/docs/how-tos/define-different-retention-schedules.md
+++ b/docs/how-tos/define-different-retention-schedules.md
@@ -0,0 +1,40 @@
 ---
 title: Define different retention schedules
 layout: default
 parent: How Tos
 nav_order: 9
 ---
 # Define different retention schedules
 If you want to manage backup retention on different schedules, the most straight forward approach is to define a dedicated configuration for retention rule using a different prefix in the `BACKUP_FILENAME` parameter and then run them on different cron schedules.
 For example, if you wanted to keep daily backups for 7 days, weekly backups for a month, and retain monthly backups forever, you could create three configuration files and mount them into `/etc/dockervolumebackup/conf.d`:
 ```ini
 # 01daily.conf
 BACKUP_FILENAME="daily-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
 # run every day at 2am
 BACKUP_CRON_EXPRESSION="0 2 * * *"
 BACKUP_PRUNING_PREFIX="daily-backup-"
 BACKUP_RETENTION_DAYS="7"
 ```
 ```ini
 # 02weekly.conf
 BACKUP_FILENAME="weekly-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
 # run every monday at 3am
 BACKUP_CRON_EXPRESSION="0 3 * * 1"
 BACKUP_PRUNING_PREFIX="weekly-backup-"
 BACKUP_RETENTION_DAYS="31"
 ```
 ```ini
 # 03monthly.conf
 BACKUP_FILENAME="monthly-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
 # run every 1st of a month at 4am
 BACKUP_CRON_EXPRESSION="0 4 1 * *"
 ```
 {: .note }
 While it's possible to define colliding cron schedules for each of these configurations, you might need to adjust the value for `LOCK_TIMEOUT` in case your backups are large and might take longer than an hour.
--- a/docs/how-tos/encrypt-backups-using-gpg.md
+++ b/docs/how-tos/encrypt-backups-using-gpg.md
@@ -0,0 +1,17 @@
 ---
 title: Encrypt backups using GPG
 layout: default
 parent: How Tos
 nav_order: 7
 ---
 # Encrypt backups using GPG
 The image supports encrypting backups using GPG out of the box.
 In case a `GPG_PASSPHRASE` environment variable is set, the backup archive will be encrypted using the given key and saved as a `.gpg` file instead.
 Assuming you have `gpg` installed, you can decrypt such a backup using (your OS will prompt for the passphrase before decryption can happen):
 ```console
 gpg -o backup.tar.gz -d backup.tar.gz.gpg
 ```
--- a/docs/how-tos/handle-file-uploads-using-third-party-tools.md
+++ b/docs/how-tos/handle-file-uploads-using-third-party-tools.md
@@ -0,0 +1,44 @@
 ---
 title: Handle file uploads using third party tools
 layout: default
 parent: How Tos
 nav_order: 10
 ---
 # Handle file uploads using third party tools
 If you want to use an unsupported storage backend, or want to use a third party (e.g. rsync, rclone) tool for file uploads, you can build a Docker image containing the required binaries off this one, and call through to these in lifecycle hooks.
 For example, if you wanted to use `rsync`, define your Docker image like this:
 ```Dockerfile
 FROM offen/docker-volume-backup:v2
 RUN apk add rsync
 ```
 Using this image, you can now omit configuring any of the supported storage backends, and instead define your own mechanism in a `docker-volume-backup.copy-post` label:
 ```yml
 version: '3'
 services:
  backup:
    image: your-custom-image
    restart: always
    environment:
      BACKUP_FILENAME: "daily-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
      BACKUP_CRON_EXPRESSION: "0 2 * * *"
    labels:
      - docker-volume-backup.copy-post=/bin/sh -c 'rsync $$COMMAND_RUNTIME_ARCHIVE_FILEPATH /destination'
    volumes:
      - app_data:/backup/app_data:ro
      - /var/run/docker.sock:/var/run/docker.sock
  # other services defined here ...
 volumes:
  app_data:
 ```
 {: .note }
 Commands will be invoked with the filepath of the tar archive passed as `COMMAND_RUNTIME_BACKUP_FILEPATH`.
--- a/docs/how-tos/index.md
+++ b/docs/how-tos/index.md
@@ -0,0 +1,8 @@
 ---
 title: How Tos
 layout: default
 nav_order: 3
 has_children: true
 ---
 ## How Tos
--- a/docs/how-tos/manual-trigger.md
+++ b/docs/how-tos/manual-trigger.md
@@ -0,0 +1,20 @@
 ---
 title: Trigger a backup manually
 layout: default
 parent: How Tos
 nav_order: 8
 ---
 # Trigger a backup manually
 You can manually trigger a backup run outside of the defined cron schedule by executing the `backup` command inside the container:
 ```console
 docker exec <container_ref> backup
 ```
 If the container is configured to run multiple schedules, you can source the respective conf file before invoking the command:
 ```console
 docker exec <container_ref> /bin/sh -c 'set -a; source /etc/dockervolumebackup/conf.d/myconf.env; set +a && backup'
 ```
--- a/docs/how-tos/replace-deprecated-backup-from-snapshot.md
+++ b/docs/how-tos/replace-deprecated-backup-from-snapshot.md
@@ -0,0 +1,37 @@
 ---
 title: Replace deprecated BACKUP_FROM_SNAPSHOT usage
 layout: default
 parent: How Tos
 nav_order: 16
 ---
 # Replace deprecated `BACKUP_FROM_SNAPSHOT` usage
 Starting with version 2.15.0, the `BACKUP_FROM_SNAPSHOT` feature has been deprecated.
 If you need to prepare your sources before the backup is taken, use `archive-pre`, `archive-post` and an intermediate volume:
 ```yml
 version: '3'
 services:
  my_app:
    build: .
    volumes:
      - data:/var/my_app
      - backup:/tmp/backup
    labels:
      - docker-volume-backup.archive-pre=cp -r /var/my_app /tmp/backup/my-app
      - docker-volume-backup.archive-post=rm -rf /tmp/backup/my-app
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      BACKUP_SOURCES: /tmp/backup
    volumes:
      - backup:/backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
  backup:
 ```
--- a/docs/how-tos/replace-deprecated-backup-stop-container-label.md
+++ b/docs/how-tos/replace-deprecated-backup-stop-container-label.md
@@ -0,0 +1,19 @@
 ---
 title: Replace deprecated BACKUP_STOP_CONTAINER_LABEL setting
 layout: default
 parent: How Tos
 nav_order: 19
 ---
 # Replace deprecated `BACKUP_STOP_CONTAINER_LABEL` setting
 Version `v2.36.0` deprecated the `BACKUP_STOP_CONTAINER_LABEL` setting and renamed it `BACKUP_STOP_DURING_BACKUP_LABEL` which is supposed to signal that this will stop both containers _and_ services.
 Migrating is done by renaming the key for your custom value:
 ```diff
    env:
 -     BACKUP_STOP_CONTAINER_LABEL: database
 +     BACKUP_STOP_DURING_BACKUP_LABEL: database
 ```
 The old key will stay supported until the next major version, but logs a warning each time a backup is taken.
--- a/docs/how-tos/replace-deprecated-exec-labels.md
+++ b/docs/how-tos/replace-deprecated-exec-labels.md
@@ -0,0 +1,23 @@
 ---
 title: Replace deprecated exec-pre and exec-post labels
 layout: default
 parent: How Tos
 nav_order: 17
 ---
 # Replace deprecated `exec-pre` and `exec-post` labels
 Version 2.19.0 introduced the option to run labeled commands at multiple points in time during the backup lifecycle.
 In order to be able to use more obvious terminology in the new labels, the existing `exec-pre` and `exec-post` labels have been deprecated.
 If you want to emulate the existing behavior, all you need to do is change `exec-pre` to `archive-pre` and `exec-post` to `archive-post`:
 ```diff
    labels:
 -     - docker-volume-backup.exec-pre=cp -r /var/my_app /tmp/backup/my-app
 +     - docker-volume-backup.archive-pre=cp -r /var/my_app /tmp/backup/my-app
 -     - docker-volume-backup.exec-post=rm -rf /tmp/backup/my-app
 +     - docker-volume-backup.archive-post=rm -rf /tmp/backup/my-app
 ```
 The `EXEC_LABEL` setting and the `docker-volume-backup.exec-label` label stay as is.
 Check the additional documentation on running commands during the backup lifecycle to find out about further possibilities.
--- a/docs/how-tos/restore-volumes-from-backup.md
+++ b/docs/how-tos/restore-volumes-from-backup.md
@@ -0,0 +1,46 @@
 ---
 title: Restore volumes from a backup
 layout: default
 parent: How Tos
 nav_order: 6
 ---
 # Restore volumes from a backup
 In case you need to restore a volume from a backup, the most straight forward procedure to do so would be:
 - Stop the container(s) that are using the volume
 - Untar the backup you want to restore
  ```console
  tar -C /tmp -xvf  backup.tar.gz
  ```
 - Using a temporary once-off container, mount the volume (the example assumes it's named `data`) and copy over the backup. Make sure you copy the correct path level (this depends on how you mount your volume into the backup container), you might need to strip some leading elements
  ```console
  docker run -d --name temp_restore_container -v data:/backup_restore alpine
  docker cp /tmp/backup/data-backup temp_restore_container:/backup_restore
  docker stop temp_restore_container
  docker rm temp_restore_container
  ```
 - Restart the container(s) that are using the volume
 Depending on your setup and the application(s) you are running, this might involve other steps to be taken still.
 ---
 If you want to rollback an entire volume to an earlier backup snapshot (recommended for database volumes):
 - Trigger a manual backup if necessary (see `Manually triggering a backup`).
 - Stop the container(s) that are using the volume.
 - If volume was initially created using docker-compose, find out exact volume name using:
  ```console
  docker volume ls
  ```
 - Remove existing volume (the example assumes it's named `data`):
  ```console
  docker volume rm data
  ```
 - Create new volume with the same name and restore a snapshot:
  ```console
  docker run --rm -it -v data:/backup/my-app-backup -v /path/to/local_backups:/archive:ro alpine tar -xvzf /archive/full_backup_filename.tar.gz
  ```
 - Restart the container(s) that are using the volume.
--- a/docs/how-tos/run-custom-commands.md
+++ b/docs/how-tos/run-custom-commands.md
@@ -0,0 +1,93 @@
 ---
 title: Run custom commands during the backup lifecycle
 layout: default
 nav_order: 5
 parent: How Tos
 ---
 # Run custom commands during the backup lifecycle
 In certain scenarios it can be required to run specific commands before and after a backup is taken (e.g. dumping a database).
 When mounting the Docker socket into the `docker-volume-backup` container, you can define pre- and post-commands that will be run in the context of the target container (it is also possible to run commands inside the `docker-volume-backup` container itself using this feature).
 Such commands are defined by specifying the command in a `docker-volume-backup.[step]-[pre|post]` label where `step` can be any of the following phases of a backup lifecycle:
 - `archive` (the tar archive is created)
 - `process` (the tar archive is processed, e.g. encrypted - optional)
 - `copy` (the tar archive is copied to all configured storages)
 - `prune` (existing backups are pruned based on the defined ruleset - optional)
 {: .note }
 So that the `docker-volume-backup` container can access the labels on other containers, it is necessary that the docker socket is mounted into
 the `docker-volume-backup` container as shown in the Quickstart example.
 Taking a database dump using `mysqldump` would look like this:
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  database:
    image: mariadb
    volumes:
      - backup_data:/tmp/backups
    labels:
      - docker-volume-backup.archive-pre=/bin/sh -c 'mysqldump --all-databases > /backups/dump.sql'
 volumes:
  backup_data:
 ```
 {: .note }
 Due to Docker limitations, you currently cannot use any kind of redirection in these commands unless you pass the command to `/bin/sh -c` or similar.
 I.e. instead of using `echo "ok" > ok.txt` you will need to use `/bin/sh -c 'echo "ok" > ok.txt'`.
 If you have more than one `docker-volume-backup` container (possibly across several docker-compose environments) to backup or you are using
 multiple backup schedules, you will need to use `EXEC_LABEL` in the configuration and a `docker-volume-backup.exec-label` label on each
 container using custom commands to ensure that the commands are only run by the correct `docker-volume-backup` instance.
 ```yml
 version: '3'
 services:
  database:
    image: mariadb
    volumes:
      - backup_data:/tmp/backups
    labels:
      - docker-volume-backup.archive-pre=/bin/sh -c 'mysqldump --all-databases > /tmp/volume/dump.sql'
      - docker-volume-backup.exec-label=database
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      EXEC_LABEL: database
    volumes:
      - data:/backup/dump:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  backup_data:
 ```
 The backup procedure is guaranteed to wait for all `pre` or `post` commands to finish before proceeding.
 However, there are no guarantees about the order in which they are run, which could also happen concurrently.
 By default the backup command is executed by the user provided by the container's image.
 It is possible to specify a custom user that is used to run commands in dedicated labels with the format `docker-volume-backup.[step]-[pre|post].user`:
 ```yml
 version: '3'
 services:
  gitea:
    image: gitea/gitea
    volumes:
      - backup_data:/tmp
    labels:
      - docker-volume-backup.archive-pre.user=git
      - docker-volume-backup.archive-pre=/bin/bash -c 'cd /tmp; /usr/local/bin/gitea dump -c /data/gitea/conf/app.ini -R -f dump.zip'
 ```
 Make sure the user exists and is present in `passwd` inside the target container.
--- a/docs/how-tos/run-multiple-schedules.md
+++ b/docs/how-tos/run-multiple-schedules.md
@@ -0,0 +1,52 @@
 ---
 title: Run multiple backup schedules in the same container
 layout: default
 parent: How Tos
 nav_order: 11
 ---
 # Run multiple backup schedules in the same container
 Multiple backup schedules with different configuration can be configured by mounting an arbitrary number of configuration files (using the `.env` format) into `/etc/dockervolumebackup/conf.d`:
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./configuration:/etc/dockervolumebackup/conf.d
 volumes:
  data:
 ```
 A separate cronjob will be created for each config file.
 If a configuration value is set both in the global environment as well as in the config file, the config file will take precedence.
 The `backup` command expects to run on an exclusive lock, so in case you provide the same or overlapping schedules in your cron expressions, the runs will still be executed serially, one after the other.
 The exact order of schedules that use the same cron expression is not specified.
 In case you need your schedules to overlap, you need to create a dedicated container for each schedule instead.
 When changing the configuration, you currently need to manually restart the container for the changes to take effect.
 Set `BACKUP_SOURCES` for each config file to control which subset of volume mounts gets backed up:
 ```yml
 # With a volume configuration like this:
 volumes:
  - /var/run/docker.sock:/var/run/docker.sock:ro
  - ./configuration:/etc/dockervolumebackup/conf.d
  - app1_data:/backup/app1_data:ro
  - app2_data:/backup/app2_data:ro
 ```
 ```ini
 # In the 1st config file:
 BACKUP_SOURCES=/backup/app1_data
 # In the 2nd config file:
 BACKUP_SOURCES=/backup/app2_data
 ```
--- a/docs/how-tos/set-container-timezone.md
+++ b/docs/how-tos/set-container-timezone.md
@@ -0,0 +1,27 @@
 ---
 title: Set the timezone the container runs in
 layout: default
 parent: How Tos
 nav_order: 8
 ---
 # Set the timezone the container runs in
 By default a container based on this image will run in the UTC timezone.
 As the image is designed to be as small as possible, additional timezone data is not included.
 In case you want to run your cron rules in your local timezone (respecting DST and similar), you can mount your Docker host's `/etc/timezone` and `/etc/localtime` in read-only mode:
 ```yml
 version: '3'
 services:
  backup:
    image: offen/docker-volume-backup:v2
    volumes:
      - data:/backup/my-app-backup:ro
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
 volumes:
  data:
 ```
--- a/docs/how-tos/set-up-dropbox.md
+++ b/docs/how-tos/set-up-dropbox.md
@@ -0,0 +1,37 @@
 ---
 title: Set up Dropbox storage backend
 layout: default
 parent: How Tos
 nav_order: 12
 ---
 # Set up Dropbox storage backend
 ## Acquiring authentication tokens
 1. Create a new Dropbox App in the [App Console](https://www.dropbox.com/developers/apps)
 2. Open your new Dropbox App and set `DROPBOX_APP_KEY` and `DROPBOX_APP_SECRET` in your environment (e.g. docker-compose.yml) accordingly
 3. Click on `Permissions` in your app and make sure, that the following permissions are cranted (or more):
  - `files.metadata.write`
  - `files.metadata.read`
  - `files.content.write`
  - `files.content.read`
 4. Replace APPKEY in `https://www.dropbox.com/oauth2/authorize?client_id=APPKEY&token_access_type=offline&response_type=code` with the app key from step 2
 5. Visit the URL and confirm the access of your app. This gives you an `auth code` -> save it somewhere!
 6. Replace AUTHCODE, APPKEY, APPSECRET accordingly and perform the request:
 ```
 curl https://api.dropbox.com/oauth2/token \
    -d code=AUTHCODE \
    -d grant_type=authorization_code \
    -d client_id=APPKEY \
    -d client_secret=APPSECRET
 ```
 7. Execute the request. You will get a JSON formatted reply. Use the value of the `refresh_token` for the last environment variable `DROPBOX_REFRESH_TOKEN`
 8. You should now have `DROPBOX_APP_KEY`, `DROPBOX_APP_SECRET` and `DROPBOX_REFRESH_TOKEN` set. These don't expire.
 Note: Using the "Generated access token" in the app console is not supported, as it is only very short lived and therefore not suitable for an automatic backup solution. The refresh token handles this automatically - the setup procedure above is only needed once.
 ## Other parameters
 Important: If you chose `App folder` access during the creation of your Dropbox app in step 1 above, you can only write in the app's directory!
 This means, that `DROPBOX_REMOTE_PATH` must start with e.g. `/Apps/YOUR_APP_NAME` or `/Apps/YOUR_APP_NAME/some_sub_dir`
--- a/docs/how-tos/set-up-notifications.md
+++ b/docs/how-tos/set-up-notifications.md
@@ -0,0 +1,132 @@
 ---
 title: Receive notifications
 layout: default
 nav_order: 4
 parent: How Tos
 ---
 # Receive notifications
 ## Send email notifications on failed backup runs
 To send out email notifications on failed backup runs, provide SMTP credentials, a sender and a recipient:
 ```yml
 version: '3'
 services:
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      # ... other configuration values go here
      NOTIFICATION_URLS=smtp://me:secret@smtp.example.com:587/?fromAddress=no-reply@example.com&toAddresses=you@example.com
 ```
 Notification backends other than email are also supported.
 Refer to the documentation of [shoutrrr][shoutrrr-docs] to find out about options and configuration.
 [shoutrrr-docs]: https://containrrr.dev/shoutrrr/0.7/services/overview/
 {: .note }
 If you also want notifications on successful executions, set `NOTIFICATION_LEVEL` to `info`.
 ## Customize notifications
 The title and body of the notifications can be tailored to your needs using [Go templates](https://pkg.go.dev/text/template).
 Template sources must be mounted inside the container in `/etc/dockervolumebackup/notifications.d/`: any file inside this directory will be parsed.
 ```yml
 services:
  backup:
    image: offen/docker-volume-backup:v2
    volumes:
      - ./customized.template:/etc/dockervolumebackup/notifications.d/01.template
 ```
 The files have to define [nested templates](https://pkg.go.dev/text/template#hdr-Nested_template_definitions) in order to override the original values. An example:
 {% raw %}
 ```
 {{ define "title_success" -}}
 ✅ Successfully ran backup {{ .Config.BackupStopContainerLabel }}
 {{- end }}
 {{ define "body_success" -}}
 ▶️ Start time: {{ .Stats.StartTime | formatTime }}
 ⏹️ End time: {{ .Stats.EndTime | formatTime }}
 ⌛ Took time: {{ .Stats.TookTime }}
 🛑 Stopped containers: {{ .Stats.Containers.Stopped }}/{{ .Stats.Containers.All }} ({{ .Stats.Containers.StopErrors }} errors)
 ⚖️ Backup size: {{ .Stats.BackupFile.Size | formatBytesBin }} / {{ .Stats.BackupFile.Size | formatBytesDec }}
 🗑️ Pruned backups: {{ .Stats.Storages.Local.Pruned }}/{{ .Stats.Storages.Local.Total }} ({{ .Stats.Storages.Local.PruneErrors }} errors)
 {{- end }}
 ```
 {% endraw %}
 Template names that can be overridden are:
  - `title_success` (the title used for a successful execution)
  - `body_success` (the body used for a successful execution)
  - `title_failure` (the title used for a failed execution)
  - `body_failure` (the body used for a failed execution)
 ## Notification templates reference
 Configuration, data about the backup run and helper functions will be passed to these templates, this page documents them fully.
 ### Data
 Here is a list of all data passed to the template:
 * `Config`: this object holds the configuration that has been passed to the script. The field names are the name of the recognized environment variables converted in PascalCase. (e.g. `BACKUP_STOP_DURING_BACKUP_LABEL` becomes `BackupStopDuringBackupLabel`)
 * `Error`: the error that made the backup fail. Only available in the `title_failure` and `body_failure` templates
 * `Stats`: objects that holds stats regarding script execution. In case of an unsuccessful run, some information may not be available.
  * `StartTime`: time when the script started execution
  * `EndTime`: time when the backup has completed successfully (after pruning)
  * `TookTime`: amount of time it took for the backup to run. (equal to `EndTime - StartTime`)
  * `LockedTime`: amount of time it took for the backup to acquire the exclusive lock
  * `LogOutput`: full log of the application
  * `Containers`: object containing stats about the docker containers
    * `All`: total number of containers
    * `ToStop`: number of containers matched by the stop rule
    * `Stopped`: number of containers successfully stopped
    * `StopErrors`: number of containers that were unable to be stopped (equal to `ToStop - Stopped`)
  * `Services`: object containing stats about the docker services (only populated when Docker is running in Swarm mode)
    * `All`: total number of services
    * `ToScaleDown`: number of containers matched by the scale down rule
    * `ScaledDwon`: number of containers successfully scaled down
    * `ScaleDownErrors`: number of containers that were unable to be stopped (equal to `ToScaleDown - ScaledDowm`)
  * `BackupFile`: object containing information about the backup file
    * `Name`: name of the backup file (e.g. `backup-2022-02-11T01-00-00.tar.gz`)
    * `FullPath`: full path of the backup file (e.g. `/archive/backup-2022-02-11T01-00-00.tar.gz`)
    * `Size`: size in bytes of the backup file
  * `Storages`: object that holds stats about each storage
    * `Local`, `S3`, `WebDAV`, `Azure`, `Dropbox` or `SSH`:
      * `Total`: total number of backup files
      * `Pruned`: number of backup files that were deleted due to pruning rule
      * `PruneErrors`: number of backup files that were unable to be pruned
 ### Functions
 Some formatting and helper functions are also available:
 * `formatTime`: formats a time object using [RFC3339](https://datatracker.ietf.org/doc/html/rfc3339) format (e.g. `2022-02-11T01:00:00Z`)
 * `formatBytesBin`: formats an amount of bytes using powers of 1024 (e.g. `7055258` bytes will be `6.7 MiB`) 
 * `formatBytesDec`: formats an amount of bytes using powers of 1000 (e.g. `7055258` bytes will be `7.1 MB`)
 * `env`: returns the value of the environment variable of the given key if set
 * `toJson`: converting object to JSON
 * `toPrettyJson`: converting object to pretty JSON
 ## Special characters in notification URLs
 The value given to `NOTIFICATION_URLS` is a comma separated list of URLs.
 If such a URL contains special characters (e.g. commas) these need to be URL encoded.
 To obtain an encoded version of your URL, you can use the CLI tool provided by `shoutrrr` (which is the library used for sending notifications):
 ```
 docker run --rm -ti containrrr/shoutrrr generate [service]
 ```
 where service is any of the [supported services][shoutrrr-docs], e.g. for SMTP:
 ```
 docker run --rm -ti containrrr/shoutrrr generate smtp
 ```
--- a/docs/how-tos/stop-containers-during-backup.md
+++ b/docs/how-tos/stop-containers-during-backup.md
@@ -0,0 +1,38 @@
 ---
 title: Stop containers during backup
 layout: default
 parent: How Tos
 nav_order: 1
 ---
 # Stop containers during backup
 {: .note }
 In case you are running Docker in Swarm mode, [dedicated documentation](./use-with-docker-swarm.html) on service and container restart applies.
 In many cases, it will be desirable to stop the services that are consuming the volume you want to backup in order to ensure data integrity.
 This image can automatically stop and restart containers and services.
 By default, any container that is labeled `docker-volume-backup.stop-during-backup=true` will be stopped before the backup is being taken and restarted once it has finished.
 In case you need more fine grained control about which containers should be stopped (e.g. when backing up multiple volumes on different schedules), you can set the `BACKUP_STOP_DURING_BACKUP_LABEL` environment variable and then use the same value for labeling:
 ```yml
 version: '3'
 services:
  app:
    # definition for app ...
    labels:
      - docker-volume-backup.stop-during-backup=service1
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      BACKUP_STOP_DURING_BACKUP_LABEL: service1
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
--- a/docs/how-tos/update-deprecated-email-config.md
+++ b/docs/how-tos/update-deprecated-email-config.md
@@ -0,0 +1,26 @@
 ---
 title: Update deprecated email configuration
 layout: default
 parent: How Tos
 nav_order: 18
 ---
 # Update deprecated email configuration
 Starting with version 2.6.0, configuring email notifications using `EMAIL_*` keys has been deprecated.
 Instead of providing multiple values using multiple keys, you can now provide a single URL for `NOTIFICATION_URLS`.
 Before:
 ```ini
 EMAIL_NOTIFICATION_RECIPIENT="you@example.com"
 EMAIL_NOTIFICATION_SENDER="no-reply@example.com"
 EMAIL_SMTP_HOST="posteo.de"
 EMAIL_SMTP_PASSWORD="secret"
 EMAIL_SMTP_USERNAME="me"
 EMAIL_SMTP_PORT="587"
 ```
 After:
 ```ini
 NOTIFICATION_URLS=smtp://me:secret@posteo.de:587/?fromAddress=no-reply@example.com&toAddresses=you@example.com
 ```
--- a/docs/how-tos/use-custom-docker-host.md
+++ b/docs/how-tos/use-custom-docker-host.md
@@ -0,0 +1,45 @@
 ---
 title: Use a custom Docker host
 layout: default
 parent: How Tos
 nav_order: 14
 ---
 # Use a custom Docker host
 If you are interfacing with Docker via TCP, set `DOCKER_HOST` to the correct URL.
 ```ini
 DOCKER_HOST=tcp://docker_socket_proxy:2375
 ```
 If you do this as you seek to restrict access to the Docker socket, this tool is potentially calling the following Docker APIs:
 | API | When |
 |-|-|
 | `Info` | always |
 | `ContainerExecCreate` | running commands from `exec-labels` |
 | `ContainerExecAttach` | running commands from `exec-labels` |
 | `ContainerExecInspect` | running commands from `exec-labels` |
 | `ContainerList` | always |
  `ServiceList` | Docker engine is running in Swarm mode |
 | `ServiceInspect` | Docker engine is running in Swarm mode |
 | `ServiceUpdate` | Docker engine is running in Swarm mode and `stop-during-backup` is used |
 | `ConatinerStop` | `stop-during-backup` labels are applied to containers |
 | `ContainerStart` | `stop-during-backup` labels are applied to container |
 ---
 In case you are using [`docker-socket-proxy`][proxy], this means following permissions are required:
 | Permission | When |
 |-|-|
 | INFO | always required |
 | CONTAINERS | always required |
 | POST | required when using `stop-during-backup` or `exec` labels |
 | EXEC | required when using `exec`-labeled commands |
 | SERVICES | required when Docker Engine is running in Swarm mode |
 | NODES | required when labeling services `stop-during-backup` |
 | TASKS | required when labeling services `stop-during-backup` |
 [proxy]: https://github.com/Tecnativa/docker-socket-proxy
--- a/docs/how-tos/use-rootless-docker.md
+++ b/docs/how-tos/use-rootless-docker.md
@@ -0,0 +1,23 @@
 ---
 title: Use with rootless Docker
 layout: default
 parent: How Tos
 nav_order: 15
 ---
 # Use with rootless Docker
 It's also possible to use this image with a [rootless Docker installation][rootless-docker].
 Instead of mounting `/var/run/docker.sock`, mount the user-specific socket into the container:
 ```yml
 services:
  backup:
    image: offen/docker-volume-backup:v2
    # ... configuration omitted
    volumes:
      - backup:/backup:ro
      - /run/user/1000/docker.sock:/var/run/docker.sock:ro
 ```
 [rootless-docker]: https://docs.docker.com/engine/security/rootless/
--- a/docs/how-tos/use-with-docker-swarm.md
+++ b/docs/how-tos/use-with-docker-swarm.md
@@ -0,0 +1,81 @@
 ---
 title: Use with Docker Swarm
 layout: default
 parent: How Tos
 nav_order: 13
 ---
 # Use with Docker Swarm
 {: .note }
 The mechanisms described in this page __do only apply when Docker is running in [Swarm mode][swarm]__.
 [swarm]: https://docs.docker.com/engine/swarm/
 ## Stopping containers during backup
 Stopping and restarting containers during backup creation when running Docker in Swarm mode is supported in two ways.
 {: .important }
 Make sure you label your services and containers using only one of the describe approaches.
 In case the script encounters a container that is labeled and has a parent service that is also labeled, it will exit early.
 ### Scaling services down to zero before scaling back up
 When labeling a service in the `deploy` section, the following strategy for stopping and restarting will be used:
 - The service is scaled down to zero replicas
 - The backup is created
 - The service is scaled back up to the previous number of replicas
 {: .note }
 This approach will only work for services that are deployed in __replicated mode__.
 Such a service definition could look like:
 ```yml
 services:
  app:
    image: myorg/myimage:latest
    deploy:
      labels:
        - docker-volume-backup.stop-during-backup=true
      replicas: 2
 ```
 ### Stopping the containers
 This approach bypasses the services and stops containers directly, creates the backup and restarts the containers again.
 As Docker Swarm would usually try to instantly restart containers that are manually stopped, this approach only works when using the `on-failure` restart policy.
 A restart policy of `always` is not compatible with this approach.
 Such a service definition could look like:
 ```yml
 services:
  app:
    image: myapp/myimage:latest
    labels:
      - docker-volume-backup.stop-during-backup=true
    deploy:
      replicas: 2
      restart_policy:
        condition: on-failure
 ```
 ---
 ## Memory limit considerations
 When running in Swarm mode, it's also advised to set a hard memory limit on your service (~25MB should be enough in most cases, but if you backup large files above half a gigabyte or similar, you might have to raise this in case the backup exits with `Killed`):
 ```yml
 services:
  backup:
    image: offen/docker-volume-backup:v2
    deployment:
      resources:
        limits:
          memory: 25M
 ```
--- a/docs/index.md
+++ b/docs/index.md
@@ -0,0 +1,117 @@
 ---
 title: Home
 layout: home
 nav_order: 1
 ---
 # offen/docker-volume-backup
 {:.no_toc}
 Backup Docker volumes locally or to any S3, WebDAV, Azure Blob Storage, Dropbox or SSH compatible storage.
 {: .fs-6 .fw-300 }
 ---
 The [offen/docker-volume-backup](https://hub.docker.com/r/offen/docker-volume-backup) Docker image can be used as a lightweight (below 15MB) companion container to an existing Docker setup.
 It handles __recurring or one-off backups of Docker volumes__ to a __local directory__, __any S3, WebDAV, Azure Blob Storage, Dropbox or SSH compatible storage (or any combination thereof) and rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for (failed) backup runs__.
 {: .note }
 Code and documentation for `v1` versions are found on [this branch][v1-branch].
 [v1-branch]: https://github.com/offen/docker-volume-backup/tree/v1
 ---
 1. TOC
 {:toc}
 ## Quickstart
 ### Recurring backups in a compose setup
 Add a `backup` service to your compose setup and mount the volumes you would like to see backed up:
 ```yml
 version: '3'
 services:
  volume-consumer:
    build:
      context: ./my-app
    volumes:
      - data:/var/my-app
    labels:
      # This means the container will be stopped during backup to ensure
      # backup integrity. You can omit this label if stopping during backup
      # not required.
      - docker-volume-backup.stop-during-backup=true
  backup:
    # In production, it is advised to lock your image tag to a proper
    # release version instead of using `latest`.
    # Check https://github.com/offen/docker-volume-backup/releases
    # for a list of available releases.
    image: offen/docker-volume-backup:latest
    restart: always
    env_file: ./backup.env # see below for configuration reference
    volumes:
      - data:/backup/my-app-backup:ro
      # Mounting the Docker socket allows the script to stop and restart
      # the container during backup and to access the container labels to
      # specify custom commands. You can omit this if you don't want to
      # stop the container or run custom commands. In case you need to
      # proxy the socket, you can also provide a location by setting
      # `DOCKER_HOST` in the container
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # If you mount a local directory or volume to `/archive` a local
      # copy of the backup will be stored there. You can override the
      # location inside of the container by setting `BACKUP_ARCHIVE`.
      # You can omit this if you do not want to keep local backups.
      - /path/to/local_backups:/archive
 volumes:
  data:
 ```
 ### One-off backups using Docker CLI
 To run a one time backup, mount the volume you would like to see backed up into a container and run the `backup` command:
 ```console
 docker run --rm \
  -v data:/backup/data \
  --env AWS_ACCESS_KEY_ID="<xxx>" \
  --env AWS_SECRET_ACCESS_KEY="<xxx>" \
  --env AWS_S3_BUCKET_NAME="<xxx>" \
  --entrypoint backup \
  offen/docker-volume-backup:v2
 ```
 Alternatively, pass a `--env-file` in order to use a full config as described below.
 ### Available image registries
 This Docker image is published to both Docker Hub and the GitHub container registry.
 Depending on your preferences and needs, you can reference both `offen/docker-volume-backup` as well as `ghcr.io/offen/docker-volume-backup`:
 ```
 docker pull offen/docker-volume-backup:v2
 docker pull ghcr.io/offen/docker-volume-backup:v2
 ```
 Documentation references Docker Hub, but all examples will work using ghcr.io just as well.
 ## Differences to `jareware/docker-volume-backup`
 This image is heavily inspired by `jareware/docker-volume-backup`. We decided to publish this image as a simpler and more lightweight alternative because of the following requirements:
 - The original image is based on `ubuntu` and requires additional tools, making it heavy.
 This version is roughly 1/25 in compressed size (it's ~15MB).
 - The original image uses a shell script, when this version is written in Go.
 - The original image proposed to handle backup rotation through AWS S3 lifecycle policies.
 This image adds the option to rotate away old backups through the same command so this functionality can also be offered for non-AWS storage backends like MinIO.
 Local copies of backups can also be pruned once they reach a certain age.
 - InfluxDB specific functionality from the original image was removed.
 - `arm64` and `arm/v7` architectures are supported.
 - Docker in Swarm mode is supported.
 - Notifications on finished backups are supported.
 - IAM authentication through instance profiles is supported.
--- a/docs/recipes/index.md
+++ b/docs/recipes/index.md
@@ -0,0 +1,373 @@
 ---
 title: Recipes
 layout: default
 nav_order: 4
 ---
 # Recipes
 {: .no_toc }
 This doc lists configuration for some real-world use cases that you can copy and paste to tweak and match your needs.
 1. TOC
 {: toc }
 ## Backing up to AWS S3
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ## Backing up to Filebase
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      AWS_ENDPOINT: s3.filebase.com
      AWS_S3_BUCKET_NAME: filebase-bucket
      AWS_ACCESS_KEY_ID: FILEBASE-ACCESS-KEY
      AWS_SECRET_ACCESS_KEY: FILEBASE-SECRET-KEY
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ## Backing up to MinIO
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      AWS_ENDPOINT: minio.example.com
      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: MINIOACCESSKEY
      AWS_SECRET_ACCESS_KEY: MINIOSECRETKEY
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ## Backing up to MinIO (using Docker secrets)
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      AWS_ENDPOINT: minio.example.com
      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID_FILE: /run/secrets/minio_access_key
      AWS_SECRET_ACCESS_KEY_FILE: /run/secrets/minio_secret_key
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    secrets:
      - minio_access_key
      - minio_secret_key
 volumes:
  data:
 secrets:
  minio_access_key:
    # ... define how secret is accessed
  minio_secret_key:
    # ... define how secret is accessed
 ```
 ## Backing up to WebDAV
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      WEBDAV_URL: https://webdav.mydomain.me
      WEBDAV_PATH: /my/directory/
      WEBDAV_USERNAME: user
      WEBDAV_PASSWORD: password
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ## Backing up to SSH
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      SSH_HOST_NAME: server.local
      SSH_PORT: 2222
      SSH_USER: user
      SSH_REMOTE_PATH: /data
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /path/to/private_key:/root/.ssh/id_rsa
 volumes:
  data:
 ```
 ## Backing up to Azure Blob Storage
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      AZURE_STORAGE_CONTAINER_NAME: backup-container
      AZURE_STORAGE_ACCOUNT_NAME: account-name
      AZURE_STORAGE_PRIMARY_ACCOUNT_KEY: Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ## Backing up to Dropbox
 See [Dropbox Setup](../how-tos/set-up-dropbox.md) on how to get the appropriate environment values.
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      DROPBOX_REFRESH_TOKEN: REFRESH_KEY  # replace
      DROPBOX_APP_KEY: APP_KEY  # replace
      DROPBOX_APP_SECRET: APP_SECRET  # replace
      DROPBOX_REMOTE_PATH: /Apps/my-test-app/some_subdir  # replace
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ## Backing up locally
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
      BACKUP_LATEST_SYMLINK: backup-latest.tar.gz
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${HOME}/backups:/archive
 volumes:
  data:
 ```
 ## Backing up to AWS S3 as well as locally
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${HOME}/backups:/archive
 volumes:
  data:
 ```
 ## Running on a custom cron schedule
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      # take a backup on every hour
      BACKUP_CRON_EXPRESSION: "0 * * * *"
      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ## Rotating away backups that are older than 7 days
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
      BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
      BACKUP_PRUNING_PREFIX: backup-
      BACKUP_RETENTION_DAYS: 7
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ## Encrypting your backups using GPG
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
      GPG_PASSPHRASE: somesecretstring
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ## Using mysqldump to prepare the backup
 ```yml
 version: '3'
 services:
  database:
    image: mariadb:latest
    labels:
      - docker-volume-backup.archive-pre=/bin/sh -c 'mysqldump -psecret --all-databases > /tmp/dumps/dump.sql'
    volumes:
      - data:/tmp/dumps
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      BACKUP_FILENAME: db.tar.gz
      BACKUP_CRON_EXPRESSION: "0 2 * * *"
    volumes:
      - ./local:/archive
      - data:/backup/data:ro
      - /var/run/docker.sock:/var/run/docker.sock
 volumes:
  data:
 ```
 ## Running multiple instances in the same setup
 ```yml
 version: '3'
 services:
  # ... define other services using the `data_1` and `data_2` volumes here
  backup_1: &backup_service
    image: offen/docker-volume-backup:v2
    environment: &backup_environment
      BACKUP_CRON_EXPRESSION: "0 2 * * *"
      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
      # Label the container using the `data_1` volume as `docker-volume-backup.stop-during-backup=service1`
      BACKUP_STOP_DURING_BACKUP_LABEL: service1
    volumes:
      - data_1:/backup/data-1-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
  backup_2:
    <<: *backup_service
    environment:
      <<: *backup_environment
      # Label the container using the `data_2` volume as `docker-volume-backup.stop-during-backup=service2`
      BACKUP_CRON_EXPRESSION: "0 3 * * *"
      BACKUP_STOP_DURING_BACKUP_LABEL: service2
    volumes:
      - data_2:/backup/data-2-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data_1:
  data_2:
 ```
--- a/docs/reference/index.md
+++ b/docs/reference/index.md
@@ -0,0 +1,439 @@
 ---
 title: Configuration Reference
 layout: default
 nav_order: 2
 ---
 # Configuration reference
 Backup targets, schedule and retention are configured using environment variables.
 {: .note }
 You can use any environment variable from below also with a `_FILE` suffix to be able to load the value from a file.
 This is typically useful when using [Docker Secrets](https://docs.docker.com/engine/swarm/secrets/) or similar.
 Note that secrets will not be trimmed of leading or trailing whitespace.
 {: .warning }
 In case you encounter double quoted values in your runtime configuration you might still be using an [older version of `docker-compose`][compose-issue].
 You can work around this by either updating `docker-compose` or unquoting your configuration values.
 You can populate below template according to your requirements and use it as your `env_file`:
 {% raw %}
 ```
 ########### BACKUP SCHEDULE
 # A cron expression represents a set of times, using 5 or 6 space-separated fields.
 #
 # Field name   | Mandatory? | Allowed values  | Allowed special characters
 # ----------   | ---------- | --------------  | --------------------------
 # Seconds      | No         | 0-59            | * / , -
 # Minutes      | Yes        | 0-59            | * / , -
 # Hours        | Yes        | 0-23            | * / , -
 # Day of month | Yes        | 1-31            | * / , - ?
 # Month        | Yes        | 1-12 or JAN-DEC | * / , -
 # Day of week  | Yes        | 0-6 or SUN-SAT  | * / , - ?
 #
 # Month and Day-of-week field values are case insensitive.
 # "SUN", "Sun", and "sun" are equally accepted.
 # If no value is set, `@daily` will be used.
 # If you do not want the cron to ever run, use `0 0 5 31 2 ?`.
 # BACKUP_CRON_EXPRESSION="0 2 * * *"
 # The compression algorithm used in conjunction with tar.
 # Valid options are: "gz" (Gzip) and "zst" (Zstd).
 # Note that the selection affects the file extension.
 # BACKUP_COMPRESSION="gz"
 # Parallelism level for "gz" (Gzip) compression.
 # Defines how many blocks of data are concurrently processed.
 # Higher values result in faster compression. No effect on decompression
 # Default = 1. Setting this to 0 will use all available threads.
 # GZIP_PARALLELISM=1
 # The name of the backup file including the extension.
 # Format verbs will be replaced as in `strftime`. Omitting them
 # will result in the same filename for every backup run, which means previous
 # versions will be overwritten on subsequent runs.
 # Extension can be defined literally or via "{{ .Extension }}" template,
 # in which case it will become either "tar.gz" or "tar.zst" (depending
 # on your BACKUP_COMPRESSION setting).
 # The default results in filenames like: `backup-2021-08-29T04-00-00.tar.gz`.
 # BACKUP_FILENAME="backup-%Y-%m-%dT%H-%M-%S.{{ .Extension }}"
 # Setting BACKUP_FILENAME_EXPAND to true allows for environment variable
 # placeholders in BACKUP_FILENAME, BACKUP_LATEST_SYMLINK and in
 # BACKUP_PRUNING_PREFIX that will get expanded at runtime,
 # e.g. `backup-$HOSTNAME-%Y-%m-%dT%H-%M-%S.tar.gz`. Expansion happens before
 # interpolating strftime tokens. It is disabled by default.
 # Please note that you will need to escape the `$` when providing the value
 # in a docker-compose.yml file, i.e. using $$VAR instead of $VAR.
 # BACKUP_FILENAME_EXPAND="true"
 # When storing local backups, a symlink to the latest backup can be created
 # in case a value is given for this key. This has no effect on remote backups.
 # BACKUP_LATEST_SYMLINK="backup.latest.tar.gz"
 # ************************************************************************
 # The BACKUP_FROM_SNAPSHOT option has been deprecated and will be removed
 # in the next major version. Please use exec-pre and exec-post
 # as documented below instead.
 # ************************************************************************
 # Whether to copy the content of backup folder before creating the tar archive.
 # In the rare scenario where the content of the source backup volume is continuously
 # updating, but we do not wish to stop the container while performing the backup,
 # this setting can be used to ensure the integrity of the tar.gz file.
 # BACKUP_FROM_SNAPSHOT="false"
 # By default, the `/backup` directory inside the container will be backed up.
 # In case you need to use a custom location, set `BACKUP_SOURCES`.
 # BACKUP_SOURCES="/other/location"
 # When given, all files in BACKUP_SOURCES whose full path matches the given
 # regular expression will be excluded from the archive. Regular Expressions
 # can be used as from the Go standard library https://pkg.go.dev/regexp
 # BACKUP_EXCLUDE_REGEXP="\.log$"
 # Exclude one or many storage backends from the pruning process.
 # E.g. with one backend excluded: BACKUP_SKIP_BACKENDS_FROM_PRUNE=s3
 # E.g. with multiple backends excluded: BACKUP_SKIP_BACKENDS_FROM_PRUNE=s3,webdav
 # Available backends are: S3, WebDAV, SSH, Local, Dropbox, Azure
 # Note: The name of the backends is case insensitive. 
 # Default: All backends get pruned.
 # BACKUP_SKIP_BACKENDS_FROM_PRUNE=
 ########### BACKUP STORAGE
 # The name of the remote bucket that should be used for storing backups. If
 # this is not set, no remote backups will be stored.
 # AWS_S3_BUCKET_NAME="backup-bucket"
 # If you want to store the backup in a non-root location on your bucket
 # you can provide a path. The path must not contain a leading slash.
 # AWS_S3_PATH="my/backup/location"
 # Define credentials for authenticating against the backup storage and a bucket
 # name. Although all of these keys are `AWS`-prefixed, the setup can be used
 # with any S3 compatible storage.
 # AWS_ACCESS_KEY_ID="<xxx>"
 # AWS_SECRET_ACCESS_KEY="<xxx>"
 # Instead of providing static credentials, you can also use IAM instance profiles
 # or similar to provide authentication. Some possible configuration options on AWS:
 # - EC2: http://169.254.169.254
 # - ECS: http://169.254.170.2
 # AWS_IAM_ROLE_ENDPOINT="http://169.254.169.254"
 # This is the FQDN of your storage server, e.g. `storage.example.com`.
 # Do not set this when working against AWS S3 (the default value is
 # `s3.amazonaws.com`). If you need to set a specific (non-https) protocol, you
 # will need to use the option below.
 # AWS_ENDPOINT="storage.example.com"
 # The protocol to be used when communicating with your storage server.
 # Defaults to "https". You can set this to "http" when communicating with
 # a different Docker container on the same host for example.
 # AWS_ENDPOINT_PROTO="https"
 # Setting this variable to `true` will disable verification of
 # SSL certificates for AWS_ENDPOINT. You shouldn't use this unless you use
 # self-signed certificates for your remote storage backend. This can only be
 # used when AWS_ENDPOINT_PROTO is set to `https`.
 # AWS_ENDPOINT_INSECURE="true"
 # If you wish to use self signed certificates your S3 server, you can pass
 # the location of a PEM encoded CA certificate and it will be used for
 # validating your certificates.
 # Alternatively, pass a PEM encoded string containing the certificate.
 # AWS_ENDPOINT_CA_CERT="/path/to/cert.pem"
 # Setting this variable will change the S3 storage class header.
 # Defaults to "STANDARD", you can set this value according to your needs.
 # AWS_STORAGE_CLASS="GLACIER"
 # Setting this variable will change the S3 default part size for the copy step.
 # This value is useful when you want to upload large files.
 # NB : While using Scaleway as S3 provider, be aware that the parts counter is set to 1.000.
 # While Minio uses a hard coded value to 10.000. As a workaround, try to set a higher value.
 # Defaults to "16" (MB) if unset (from minio), you can set this value according to your needs.
 # The unit is in MB and an integer.
 # AWS_PART_SIZE=16
 # You can also backup files to any WebDAV server:
 # The URL of the remote WebDAV server
 # WEBDAV_URL="https://webdav.example.com"
 # The Directory to place the backups to on the WebDAV server.
 # If the path is not present on the server it will be created.
 # WEBDAV_PATH="/my/directory/"
 # The username for the WebDAV server
 # WEBDAV_USERNAME="user"
 # The password for the WebDAV server
 # WEBDAV_PASSWORD="password"
 # Setting this variable to `true` will disable verification of
 # SSL certificates for WEBDAV_URL. You shouldn't use this unless you use
 # self-signed certificates for your remote storage backend.
 # WEBDAV_URL_INSECURE="true"
 # You can also backup files to any SSH server:
 # The URL of the remote SSH server
 # SSH_HOST_NAME="server.local"
 # The port of the remote SSH server
 # Optional variable default value is `22`
 # SSH_PORT=2222
 # The Directory to place the backups to on the SSH server.
 # SSH_REMOTE_PATH="/my/directory/"
 # The username for the SSH server
 # SSH_USER="user"
 # The password for the SSH server
 # SSH_PASSWORD="password"
 # The private key path in container for SSH server
 # Default value: /root/.ssh/id_rsa
 # If file is mounted to /root/.ssh/id_rsa path it will be used. Non-RSA keys will
 # also work.
 # SSH_IDENTITY_FILE="/root/.ssh/id_rsa"
 # The passphrase for the identity file
 # SSH_IDENTITY_PASSPHRASE="pass"
 # The credential's account name when using Azure Blob Storage. This has to be
 # set when using Azure Blob Storage.
 # AZURE_STORAGE_ACCOUNT_NAME="account-name"
 # The credential's primary account key when using Azure Blob Storage. If this
 # is not given, the command tries to fall back to using a managed identity.
 # AZURE_STORAGE_PRIMARY_ACCOUNT_KEY="<xxx>"
 # The container name when using Azure Blob Storage.
 # AZURE_STORAGE_CONTAINER_NAME="container-name"
 # The service endpoint when using Azure Blob Storage. This is a template that
 # can be passed the account name as shown in the default value below.
 # AZURE_STORAGE_ENDPOINT="https://{{ .AccountName }}.blob.core.windows.net/"
 # Absolute remote path in your Dropbox where the backups shall be stored.
 # Note: Use your app's subpath in Dropbox, if it doesn't have global access.
 # Consulte the README for further information.
 # DROPBOX_REMOTE_PATH="/my/directory"
 # Number of concurrent chunked uploads for Dropbox.
 # Values above 6 usually result in no enhancements.
 # DROPBOX_CONCURRENCY_LEVEL="6"
 # App key and app secret from your app created at https://www.dropbox.com/developers/apps/info
 # DROPBOX_APP_KEY=""
 # DROPBOX_APP_SECRET=""
 # Refresh token to request new short-lived tokens (OAuth2). Consult README to see how to get one.
 # DROPBOX_REFRESH_TOKEN=""
 # In addition to storing backups remotely, you can also keep local copies.
 # Pass a container-local path to store your backups if needed. You also need to
 # mount a local folder or Docker volume into that location (`/archive`
 # by default) when running the container. In case the specified directory does
 # not exist (nothing is mounted) in the container when the backup is running,
 # local backups will be skipped. Local paths are also be subject to pruning of
 # old backups as defined below.
 # BACKUP_ARCHIVE="/archive"
 ########### BACKUP PRUNING
 # **IMPORTANT, PLEASE READ THIS BEFORE USING THIS FEATURE**:
 # The mechanism used for pruning old backups is not very sophisticated
 # and applies its rules to **all files in the target directory** by default,
 # which means that if you are storing your backups next to other files,
 # these might become subject to deletion too. When using this option
 # make sure the backup files are stored in a directory used exclusively
 # for such files, or to configure BACKUP_PRUNING_PREFIX to limit
 # removal to certain files.
 # Define this value to enable automatic rotation of old backups. The value
 # declares the number of days for which a backup is kept.
 # BACKUP_RETENTION_DAYS="7"
 # In case the duration a backup takes fluctuates noticeably in your setup
 # you can adjust this setting to make sure there are no race conditions
 # between the backup finishing and the rotation not deleting backups that
 # sit on the edge of the time window. Set this value to a duration
 # that is expected to be bigger than the maximum difference of backups.
 # Valid values have a suffix of (s)econds, (m)inutes or (h)ours. By default,
 # one minute is used.
 # BACKUP_PRUNING_LEEWAY="1m"
 # In case your target bucket or directory contains other files than the ones
 # managed by this container, you can limit the scope of rotation by setting
 # a prefix value. This would usually be the non-parametrized part of your
 # BACKUP_FILENAME. E.g. if BACKUP_FILENAME is `db-backup-%Y-%m-%dT%H-%M-%S.tar.gz`,
 # you can set BACKUP_PRUNING_PREFIX to `db-backup-` and make sure
 # unrelated files are not affected by the rotation mechanism.
 # BACKUP_PRUNING_PREFIX="backup-"
 ########### BACKUP ENCRYPTION
 # Backups can be encrypted using gpg in case a passphrase is given.
 # GPG_PASSPHRASE="<xxx>"
 ########### STOPPING CONTAINERS AND SERVICES DURING BACKUP
 # Containers or services can be stopped by applying a
 # `docker-volume-backup.stop-during-backup` label. By default, all containers and
 # services that are labeled with `true` will be stopped. If you need more fine
 # grained control (e.g. when running multiple containers based on this image),
 # you can override this default by specifying a different value here.
 # BACKUP_STOP_DURING_BACKUP_LABEL="service1"
 # When trying to scale down Docker Swarm services, give up after
 # the specified amount of time in case the service has not converged yet.
 # In case you need to adjust this timeout, supply a duration
 # value as per https://pkg.go.dev/time#ParseDuration to `BACKUP_STOP_SERVICE_TIMEOUT`.
 # Defaults to 5 minutes.
 # BACKUP_STOP_SERVICE_TIMEOUT="5m"
 ########### EXECUTING COMMANDS IN CONTAINERS PRE/POST BACKUP
 # It is possible to define commands to be run in any container before and after
 # a backup is conducted. The commands themselves are defined in labels like
 # `docker-volume-backup.archive-pre=/bin/sh -c 'mysqldump [options] > dump.sql'.
 # Several options exist for controlling this feature:
 # By default, any output of such a command is suppressed. If this value
 # is configured to be "true", command execution output will be forwarded to
 # the backup container's stdout and stderr.
 # EXEC_FORWARD_OUTPUT="true"
 # Without any further configuration, all commands defined in labels will be
 # run before and after a backup. If you need more fine grained control, you
 # can use this option to set a label that will be used for narrowing down
 # the set of eligible containers. When set, an eligible container will also need
 # to be labeled as `docker-volume-backup.exec-label=database`.
 # EXEC_LABEL="database"
 ########### NOTIFICATIONS
 # Notifications (email, Slack, etc.) can be sent out when a backup run finishes.
 # Configuration is provided as a comma-separated list of URLs as consumed
 # by `shoutrrr`: https://containrrr.dev/shoutrrr/0.7/services/overview/
 # The content of such notifications can be customized. Dedicated documentation
 # on how to do this can be found in the README. When providing multiple URLs or
 # an URL that contains a comma, the values can be URL encoded to avoid ambiguities.
 # The below URL demonstrates how to send an email using the provided SMTP
 # configuration and credentials.
 # NOTIFICATION_URLS=smtp://username:password@host:587/?fromAddress=sender@example.com&toAddresses=recipient@example.com
 # By default, notifications would only be sent out when a backup run fails
 # To receive notifications for every run, set `NOTIFICATION_LEVEL` to `info`
 # instead of the default `error`.
 # NOTIFICATION_LEVEL="error"
 ########### DOCKER HOST
 # If you are interfacing with Docker via TCP you can set the Docker host here
 # instead of mounting the Docker socket as a volume. This is unset by default.
 # DOCKER_HOST="tcp://docker_socket_proxy:2375"
 ########### LOCK_TIMEOUT
 # In the case of overlapping cron schedules run by the same container,
 # subsequent invocations will wait for previous runs to finish before starting.
 # By default, this will time out and fail in case the lock could not be acquired
 # after 60 minutes. In case you need to adjust this timeout, supply a duration
 # value as per https://pkg.go.dev/time#ParseDuration to `LOCK_TIMEOUT`
 # LOCK_TIMEOUT="60m"
 ########### EMAIL NOTIFICATIONS
 # ************************************************************************
 # Providing notification configuration like this has been deprecated
 # and will be removed in the next major version. Please use NOTIFICATION_URLS
 # as documented above instead.
 # ************************************************************************
 # In case SMTP credentials are provided, notification emails can be sent out when
 # a backup run finished. These emails will contain the start time, the error
 # message on failure and all prior log output.
 # The recipient(s) of the notification. Supply a comma separated list
 # of addresses if you want to notify multiple recipients. If this is
 # not set, no emails will be sent.
 # EMAIL_NOTIFICATION_RECIPIENT="you@example.com"
 # The "From" header of the sent email. Defaults to `noreply@nohost`.
 # EMAIL_NOTIFICATION_SENDER="no-reply@example.com"
 # Configuration and credentials for the SMTP server to be used.
 # EMAIL_SMTP_PORT defaults to 587.
 # EMAIL_SMTP_HOST="posteo.de"
 # EMAIL_SMTP_PASSWORD="<xxx>"
 # EMAIL_SMTP_USERNAME="no-reply@example.com"
 # EMAIL_SMTP_PORT="<port>"
 ```
 {% endraw %}
 [compose-issue]: https://github.com/docker/compose/issues/2854
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,14 +0,0 @@
 #!/bin/sh
 # Copyright 2021 - Offen Authors <hioffen@posteo.de>
 # SPDX-License-Identifier: MPL-2.0
 set -e
 BACKUP_CRON_EXPRESSION="${BACKUP_CRON_EXPRESSION:-@daily}"
 echo "Installing cron.d entry with expression $BACKUP_CRON_EXPRESSION."
 echo "$BACKUP_CRON_EXPRESSION backup 2>&1" | crontab -
 echo "Starting cron in foreground."
 crond -f -l 8
--- a/go.mod
+++ b/go.mod
@@ -1,47 +1,77 @@
 module github.com/offen/docker-volume-backup
-go 1.17
+go 1.21
 require (
-	github.com/docker/docker v20.10.8+incompatible
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.2.1
 	github.com/containrrr/shoutrrr v0.7.1
 	github.com/cosiner/argv v0.1.0
 	github.com/docker/cli v24.0.1+incompatible
 	github.com/docker/docker v24.0.7+incompatible
 	github.com/gofrs/flock v0.8.1
-	github.com/kelseyhightower/envconfig v1.4.0
+	github.com/joho/godotenv v1.5.1
 	github.com/klauspost/compress v1.17.6
 	github.com/leekchan/timeutil v0.0.0-20150802142658-28917288c48d
-	github.com/m90/targz v0.0.0-20210904082215-2e9a4529a615
+	github.com/minio/minio-go/v7 v7.0.66
-	github.com/minio/minio-go/v7 v7.0.12
+	github.com/offen/envconfig v1.5.0
-	github.com/sirupsen/logrus v1.8.1
+	github.com/otiai10/copy v1.14.0
-	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
+	github.com/pkg/sftp v1.13.6
 	github.com/robfig/cron/v3 v3.0.0
 	github.com/studio-b12/gowebdav v0.9.0
 	golang.org/x/crypto v0.18.0
 	golang.org/x/oauth2 v0.16.0
 	golang.org/x/sync v0.6.0
 )
 require (
-	github.com/Microsoft/go-winio v0.4.17 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
-	github.com/containerd/containerd v1.5.5 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
-	github.com/docker/distribution v2.7.1+incompatible // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 )
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/ProtonMail/go-crypto v1.1.0-alpha.0
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
-	github.com/dustin/go-humanize v1.0.0 // indirect
+	github.com/dropbox/dropbox-sdk-go-unofficial/v6 v6.0.5
-	github.com/go-gomail/gomail v0.0.0-20160411212932-81ebce5c23df // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.0 // indirect
+	github.com/google/uuid v1.5.0 // indirect
-	github.com/google/uuid v1.2.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/json-iterator/go v1.1.10 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
-	github.com/klauspost/cpuid v1.3.1 // indirect
+	github.com/klauspost/pgzip v1.2.6
-	github.com/minio/md5-simd v1.1.0 // indirect
+	github.com/kr/fs v0.1.0 // indirect
-	github.com/minio/sha256-simd v0.1.1 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.16 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/minio/sha256-simd v1.0.1 // indirect
 	github.com/moby/term v0.0.0-20200312100748-672ec06f55cd // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.1 // indirect
+	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/rs/xid v1.2.1 // indirect
+	github.com/rs/xid v1.5.0 // indirect
-	golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
-	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
+	golang.org/x/net v0.20.0 // indirect
-	golang.org/x/text v0.3.4 // indirect
+	golang.org/x/sys v0.16.0 // indirect
-	google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a // indirect
+	golang.org/x/text v0.14.0 // indirect
-	google.golang.org/grpc v1.33.2 // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
-	google.golang.org/protobuf v1.26.0 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
+	gotest.tools/v3 v3.0.3 // indirect
 	gopkg.in/ini.v1 v1.57.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/storage/azure/azure.go
+++ b/internal/storage/azure/azure.go
@@ -0,0 +1,158 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package azure
 import (
 	"bytes"
 	"context"
 	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	"sync"
 	"text/template"
 	"time"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container"
 	"github.com/offen/docker-volume-backup/internal/storage"
 )
 type azureBlobStorage struct {
 	*storage.StorageBackend
 	client        *azblob.Client
 	containerName string
 }
 // Config contains values that define the configuration of an Azure Blob Storage.
 type Config struct {
 	AccountName       string
 	ContainerName     string
 	PrimaryAccountKey string
 	Endpoint          string
 	RemotePath        string
 }
 // NewStorageBackend creates and initializes a new Azure Blob Storage backend.
 func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
 	endpointTemplate, err := template.New("endpoint").Parse(opts.Endpoint)
 	if err != nil {
 		return nil, fmt.Errorf("NewStorageBackend: error parsing endpoint template: %w", err)
 	}
 	var ep bytes.Buffer
 	if err := endpointTemplate.Execute(&ep, opts); err != nil {
 		return nil, fmt.Errorf("NewStorageBackend: error executing endpoint template: %w", err)
 	}
 	normalizedEndpoint := fmt.Sprintf("%s/", strings.TrimSuffix(ep.String(), "/"))
 	var client *azblob.Client
 	if opts.PrimaryAccountKey != "" {
 		cred, err := azblob.NewSharedKeyCredential(opts.AccountName, opts.PrimaryAccountKey)
 		if err != nil {
 			return nil, fmt.Errorf("NewStorageBackend: error creating shared key Azure credential: %w", err)
 		}
 		client, err = azblob.NewClientWithSharedKeyCredential(normalizedEndpoint, cred, nil)
 		if err != nil {
 			return nil, fmt.Errorf("NewStorageBackend: error creating Azure client: %w", err)
 		}
 	} else {
 		cred, err := azidentity.NewManagedIdentityCredential(nil)
 		if err != nil {
 			return nil, fmt.Errorf("NewStorageBackend: error creating managed identity credential: %w", err)
 		}
 		client, err = azblob.NewClient(normalizedEndpoint, cred, nil)
 		if err != nil {
 			return nil, fmt.Errorf("NewStorageBackend: error creating Azure client: %w", err)
 		}
 	}
 	storage := azureBlobStorage{
 		client:        client,
 		containerName: opts.ContainerName,
 		StorageBackend: &storage.StorageBackend{
 			DestinationPath: opts.RemotePath,
 			Log:             logFunc,
 		},
 	}
 	return &storage, nil
 }
 // Name returns the name of the storage backend
 func (b *azureBlobStorage) Name() string {
 	return "Azure"
 }
 // Copy copies the given file to the storage backend.
 func (b *azureBlobStorage) Copy(file string) error {
 	fileReader, err := os.Open(file)
 	if err != nil {
 		return fmt.Errorf("(*azureBlobStorage).Copy: error opening file %s: %w", file, err)
 	}
 	_, err = b.client.UploadStream(
 		context.Background(),
 		b.containerName,
 		filepath.Join(b.DestinationPath, filepath.Base(file)),
 		fileReader,
 		nil,
 	)
 	if err != nil {
 		return fmt.Errorf("(*azureBlobStorage).Copy: error uploading file %s: %w", file, err)
 	}
 	return nil
 }
 // Prune rotates away backups according to the configuration and provided
 // deadline for the Azure Blob storage backend.
 func (b *azureBlobStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	lookupPrefix := filepath.Join(b.DestinationPath, pruningPrefix)
 	pager := b.client.NewListBlobsFlatPager(b.containerName, &container.ListBlobsFlatOptions{
 		Prefix: &lookupPrefix,
 	})
 	var matches []string
 	var totalCount uint
 	for pager.More() {
 		resp, err := pager.NextPage(context.Background())
 		if err != nil {
 			return nil, fmt.Errorf("(*azureBlobStorage).Prune: error paging over blobs: %w", err)
 		}
 		for _, v := range resp.Segment.BlobItems {
 			totalCount++
 			if v.Properties.LastModified.Before(deadline) {
 				matches = append(matches, *v.Name)
 			}
 		}
 	}
 	stats := &storage.PruneStats{
 		Total:  totalCount,
 		Pruned: uint(len(matches)),
 	}
 	pruneErr := b.DoPrune(b.Name(), len(matches), int(totalCount), deadline, func() error {
 		wg := sync.WaitGroup{}
 		wg.Add(len(matches))
 		var errs []error
 		for _, match := range matches {
 			name := match
 			go func() {
 				_, err := b.client.DeleteBlob(context.Background(), b.containerName, name, nil)
 				if err != nil {
 					errs = append(errs, err)
 				}
 				wg.Done()
 			}()
 		}
 		wg.Wait()
 		if len(errs) != 0 {
 			return errors.Join(errs...)
 		}
 		return nil
 	})
 	return stats, pruneErr
 }
--- a/internal/storage/dropbox/dropbox.go
+++ b/internal/storage/dropbox/dropbox.go
@@ -0,0 +1,258 @@
 package dropbox
 import (
 	"bytes"
 	"context"
 	"fmt"
 	"net/url"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 	"sync"
 	"time"
 	"github.com/dropbox/dropbox-sdk-go-unofficial/v6/dropbox"
 	"github.com/dropbox/dropbox-sdk-go-unofficial/v6/dropbox/files"
 	"github.com/offen/docker-volume-backup/internal/storage"
 	"golang.org/x/oauth2"
 )
 type dropboxStorage struct {
 	*storage.StorageBackend
 	client           files.Client
 	concurrencyLevel int
 }
 // Config allows to configure a Dropbox storage backend.
 type Config struct {
 	Endpoint         string
 	OAuth2Endpoint   string
 	RefreshToken     string
 	AppKey           string
 	AppSecret        string
 	RemotePath       string
 	ConcurrencyLevel int
 }
 // NewStorageBackend creates and initializes a new Dropbox storage backend.
 func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
 	tokenUrl, _ := url.JoinPath(opts.OAuth2Endpoint, "oauth2/token")
 	conf := &oauth2.Config{
 		ClientID:     opts.AppKey,
 		ClientSecret: opts.AppSecret,
 		Endpoint: oauth2.Endpoint{
 			TokenURL: tokenUrl,
 		},
 	}
 	logFunc(storage.LogLevelInfo, "Dropbox", "Fetching fresh access token for Dropbox storage backend.")
 	tkSource := conf.TokenSource(context.Background(), &oauth2.Token{RefreshToken: opts.RefreshToken})
 	token, err := tkSource.Token()
 	if err != nil {
 		return nil, fmt.Errorf("(*dropboxStorage).NewStorageBackend: Error refreshing token: %w", err)
 	}
 	dbxConfig := dropbox.Config{
 		Token: token.AccessToken,
 	}
 	if opts.Endpoint != "https://api.dropbox.com/" {
 		dbxConfig.URLGenerator = func(hostType string, namespace string, route string) string {
 			return fmt.Sprintf("%s/%d/%s/%s", opts.Endpoint, 2, namespace, route)
 		}
 	}
 	client := files.New(dbxConfig)
 	if opts.ConcurrencyLevel < 1 {
 		logFunc(storage.LogLevelWarning, "Dropbox", "Concurrency level must be at least 1! Using 1 instead of %d.", opts.ConcurrencyLevel)
 		opts.ConcurrencyLevel = 1
 	}
 	return &dropboxStorage{
 		StorageBackend: &storage.StorageBackend{
 			DestinationPath: opts.RemotePath,
 			Log:             logFunc,
 		},
 		client:           client,
 		concurrencyLevel: opts.ConcurrencyLevel,
 	}, nil
 }
 // Name returns the name of the storage backend
 func (b *dropboxStorage) Name() string {
 	return "Dropbox"
 }
 // Copy copies the given file to the WebDav storage backend.
 func (b *dropboxStorage) Copy(file string) error {
 	_, name := path.Split(file)
 	folderArg := files.NewCreateFolderArg(b.DestinationPath)
 	if _, err := b.client.CreateFolderV2(folderArg); err != nil {
 		switch err := err.(type) {
 		case files.CreateFolderV2APIError:
 			if err.EndpointError.Path.Tag != files.WriteErrorConflict {
 				return fmt.Errorf("(*dropboxStorage).Copy: Error creating directory '%s': %w", b.DestinationPath, err)
 			}
 			b.Log(storage.LogLevelInfo, b.Name(), "Destination path '%s' already exists, no new directory required.", b.DestinationPath)
 		default:
 			return fmt.Errorf("(*dropboxStorage).Copy: Error creating directory '%s': %w", b.DestinationPath, err)
 		}
 	}
 	r, err := os.Open(file)
 	if err != nil {
 		return fmt.Errorf("(*dropboxStorage).Copy: Error opening the file to be uploaded: %w", err)
 	}
 	defer r.Close()
 	// Start new upload session and get session id
 	b.Log(storage.LogLevelInfo, b.Name(), "Starting upload session for backup '%s' at path '%s'.", file, b.DestinationPath)
 	var sessionId string
 	uploadSessionStartArg := files.NewUploadSessionStartArg()
 	uploadSessionStartArg.SessionType = &files.UploadSessionType{Tagged: dropbox.Tagged{Tag: files.UploadSessionTypeConcurrent}}
 	if res, err := b.client.UploadSessionStart(uploadSessionStartArg, nil); err != nil {
 		return fmt.Errorf("(*dropboxStorage).Copy: Error starting the upload session: %w", err)
 	} else {
 		sessionId = res.SessionId
 	}
 	// Send the file in 148MB chunks (Dropbox API limit is 150MB, concurrent upload requires a multiple of 4MB though)
 	// Last append can be any size <= 150MB with Close=True
 	const chunkSize = 148 * 1024 * 1024 // 148MB
 	var offset uint64 = 0
 	var guard = make(chan struct{}, b.concurrencyLevel)
 	var errorChn = make(chan error, b.concurrencyLevel)
 	var EOFChn = make(chan bool, b.concurrencyLevel)
 	var mu sync.Mutex
 	var wg sync.WaitGroup
 loop:
 	for {
 		guard <- struct{}{} // limit concurrency
 		select {
 		case err := <-errorChn: // error from goroutine
 			return err
 		case <-EOFChn: // EOF from goroutine
 			wg.Wait() // wait for all goroutines to finish
 			break loop
 		default:
 		}
 		go func() {
 			defer func() {
 				wg.Done()
 				<-guard
 			}()
 			wg.Add(1)
 			chunk := make([]byte, chunkSize)
 			mu.Lock() // to preserve offset of chunks
 			select {
 			case <-EOFChn:
 				EOFChn <- true // put it back for outer loop
 				mu.Unlock()
 				return // already EOF
 			default:
 			}
 			bytesRead, err := r.Read(chunk)
 			if err != nil {
 				errorChn <- fmt.Errorf("(*dropboxStorage).Copy: Error reading the file to be uploaded: %w", err)
 				mu.Unlock()
 				return
 			}
 			chunk = chunk[:bytesRead]
 			uploadSessionAppendArg := files.NewUploadSessionAppendArg(
 				files.NewUploadSessionCursor(sessionId, offset),
 			)
 			isEOF := bytesRead < chunkSize
 			uploadSessionAppendArg.Close = isEOF
 			if isEOF {
 				EOFChn <- true
 			}
 			offset += uint64(bytesRead)
 			mu.Unlock()
 			if err := b.client.UploadSessionAppendV2(uploadSessionAppendArg, bytes.NewReader(chunk)); err != nil {
 				errorChn <- fmt.Errorf("(*dropboxStorage).Copy: Error appending the file to the upload session: %w", err)
 				return
 			}
 		}()
 	}
 	// Finish the upload session, commit the file (no new data added)
 	_, err = b.client.UploadSessionFinish(
 		files.NewUploadSessionFinishArg(
 			files.NewUploadSessionCursor(sessionId, 0),
 			files.NewCommitInfo(filepath.Join(b.DestinationPath, name)),
 		), nil)
 	if err != nil {
 		return fmt.Errorf("(*dropboxStorage).Copy: Error finishing the upload session: %w", err)
 	}
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup '%s' at path '%s'.", file, b.DestinationPath)
 	return nil
 }
 // Prune rotates away backups according to the configuration and provided deadline for the Dropbox storage backend.
 func (b *dropboxStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	var entries []files.IsMetadata
 	res, err := b.client.ListFolder(files.NewListFolderArg(b.DestinationPath))
 	if err != nil {
 		return nil, fmt.Errorf("(*webDavStorage).Prune: Error looking up candidates from remote storage: %w", err)
 	}
 	entries = append(entries, res.Entries...)
 	for res.HasMore {
 		res, err = b.client.ListFolderContinue(files.NewListFolderContinueArg(res.Cursor))
 		if err != nil {
 			return nil, fmt.Errorf("(*webDavStorage).Prune: Error looking up candidates from remote storage: %w", err)
 		}
 		entries = append(entries, res.Entries...)
 	}
 	var matches []*files.FileMetadata
 	var lenCandidates int
 	for _, candidate := range entries {
 		switch candidate := candidate.(type) {
 		case *files.FileMetadata:
 			if !strings.HasPrefix(candidate.Name, pruningPrefix) {
 				continue
 			}
 			lenCandidates++
 			if candidate.ServerModified.Before(deadline) {
 				matches = append(matches, candidate)
 			}
 		default:
 			continue
 		}
 	}
 	stats := &storage.PruneStats{
 		Total:  uint(lenCandidates),
 		Pruned: uint(len(matches)),
 	}
 	pruneErr := b.DoPrune(b.Name(), len(matches), lenCandidates, deadline, func() error {
 		for _, match := range matches {
 			if _, err := b.client.DeleteV2(files.NewDeleteArg(filepath.Join(b.DestinationPath, match.Name))); err != nil {
 				return fmt.Errorf("(*dropboxStorage).Prune: Error removing file from Dropbox storage: %w", err)
 			}
 		}
 		return nil
 	})
 	return stats, pruneErr
 }
--- a/internal/storage/local/local.go
+++ b/internal/storage/local/local.go
@@ -0,0 +1,158 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package local
 import (
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"path"
 	"path/filepath"
 	"time"
 	"github.com/offen/docker-volume-backup/internal/storage"
 )
 type localStorage struct {
 	*storage.StorageBackend
 	latestSymlink string
 }
 // Config allows configuration of a local storage backend.
 type Config struct {
 	ArchivePath   string
 	LatestSymlink string
 }
 // NewStorageBackend creates and initializes a new local storage backend.
 func NewStorageBackend(opts Config, logFunc storage.Log) storage.Backend {
 	return &localStorage{
 		StorageBackend: &storage.StorageBackend{
 			DestinationPath: opts.ArchivePath,
 			Log:             logFunc,
 		},
 		latestSymlink: opts.LatestSymlink,
 	}
 }
 // Name return the name of the storage backend
 func (b *localStorage) Name() string {
 	return "Local"
 }
 // Copy copies the given file to the local storage backend.
 func (b *localStorage) Copy(file string) error {
 	_, name := path.Split(file)
 	if err := copyFile(file, path.Join(b.DestinationPath, name)); err != nil {
 		return fmt.Errorf("(*localStorage).Copy: Error copying file to archive: %w", err)
 	}
 	b.Log(storage.LogLevelInfo, b.Name(), "Stored copy of backup `%s` in `%s`.", file, b.DestinationPath)
 	if b.latestSymlink != "" {
 		symlink := path.Join(b.DestinationPath, b.latestSymlink)
 		if _, err := os.Lstat(symlink); err == nil {
 			os.Remove(symlink)
 		}
 		if err := os.Symlink(name, symlink); err != nil {
 			return fmt.Errorf("(*localStorage).Copy: error creating latest symlink: %w", err)
 		}
 		b.Log(storage.LogLevelInfo, b.Name(), "Created/Updated symlink `%s` for latest backup.", b.latestSymlink)
 	}
 	return nil
 }
 // Prune rotates away backups according to the configuration and provided deadline for the local storage backend.
 func (b *localStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	globPattern := path.Join(
 		b.DestinationPath,
 		fmt.Sprintf("%s*", pruningPrefix),
 	)
 	globMatches, err := filepath.Glob(globPattern)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"(*localStorage).Prune: Error looking up matching files using pattern %s: %w",
 			globPattern,
 			err,
 		)
 	}
 	var candidates []string
 	for _, candidate := range globMatches {
 		fi, err := os.Lstat(candidate)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"(*localStorage).Prune: Error calling Lstat on file %s: %w",
 				candidate,
 				err,
 			)
 		}
 		if fi.Mode()&os.ModeSymlink != os.ModeSymlink {
 			candidates = append(candidates, candidate)
 		}
 	}
 	var matches []string
 	for _, candidate := range candidates {
 		fi, err := os.Stat(candidate)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"(*localStorage).Prune: Error calling stat on file %s: %w",
 				candidate,
 				err,
 			)
 		}
 		if fi.ModTime().Before(deadline) {
 			matches = append(matches, candidate)
 		}
 	}
 	stats := &storage.PruneStats{
 		Total:  uint(len(candidates)),
 		Pruned: uint(len(matches)),
 	}
 	pruneErr := b.DoPrune(b.Name(), len(matches), len(candidates), deadline, func() error {
 		var removeErrors []error
 		for _, match := range matches {
 			if err := os.Remove(match); err != nil {
 				removeErrors = append(removeErrors, err)
 			}
 		}
 		if len(removeErrors) != 0 {
 			return fmt.Errorf(
 				"(*localStorage).Prune: %d error(s) deleting files, starting with: %w",
 				len(removeErrors),
 				errors.Join(removeErrors...),
 			)
 		}
 		return nil
 	})
 	return stats, pruneErr
 }
 // copy creates a copy of the file located at `dst` at `src`.
 func copyFile(src, dst string) error {
 	in, err := os.Open(src)
 	if err != nil {
 		return err
 	}
 	defer in.Close()
 	out, err := os.Create(dst)
 	if err != nil {
 		return err
 	}
 	_, err = io.Copy(out, in)
 	if err != nil {
 		out.Close()
 		return err
 	}
 	return out.Close()
 }
--- a/internal/storage/s3/s3.go
+++ b/internal/storage/s3/s3.go
@@ -0,0 +1,192 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package s3
 import (
 	"context"
 	"crypto/x509"
 	"errors"
 	"fmt"
 	"os"
 	"path"
 	"path/filepath"
 	"time"
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
 	"github.com/offen/docker-volume-backup/internal/storage"
 )
 type s3Storage struct {
 	*storage.StorageBackend
 	client       *minio.Client
 	bucket       string
 	storageClass string
 	partSize     int64
 }
 // Config contains values that define the configuration of a S3 backend.
 type Config struct {
 	Endpoint         string
 	AccessKeyID      string
 	SecretAccessKey  string
 	IamRoleEndpoint  string
 	EndpointProto    string
 	EndpointInsecure bool
 	RemotePath       string
 	BucketName       string
 	StorageClass     string
 	PartSize         int64
 	CACert           *x509.Certificate
 }
 // NewStorageBackend creates and initializes a new S3/Minio storage backend.
 func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
 	var creds *credentials.Credentials
 	if opts.AccessKeyID != "" && opts.SecretAccessKey != "" {
 		creds = credentials.NewStaticV4(
 			opts.AccessKeyID,
 			opts.SecretAccessKey,
 			"",
 		)
 	} else if opts.IamRoleEndpoint != "" {
 		creds = credentials.NewIAM(opts.IamRoleEndpoint)
 	} else {
 		return nil, errors.New("NewStorageBackend: AWS_S3_BUCKET_NAME is defined, but no credentials were provided")
 	}
 	options := minio.Options{
 		Creds:  creds,
 		Secure: opts.EndpointProto == "https",
 	}
 	transport, err := minio.DefaultTransport(true)
 	if err != nil {
 		return nil, fmt.Errorf("NewStorageBackend: failed to create default minio transport: %w", err)
 	}
 	if opts.EndpointInsecure {
 		if !options.Secure {
 			return nil, errors.New("NewStorageBackend: AWS_ENDPOINT_INSECURE = true is only meaningful for https")
 		}
 		transport.TLSClientConfig.InsecureSkipVerify = true
 	} else if opts.CACert != nil {
 		if transport.TLSClientConfig.RootCAs == nil {
 			transport.TLSClientConfig.RootCAs = x509.NewCertPool()
 		}
 		transport.TLSClientConfig.RootCAs.AddCert(opts.CACert)
 	}
 	options.Transport = transport
 	mc, err := minio.New(opts.Endpoint, &options)
 	if err != nil {
 		return nil, fmt.Errorf("NewStorageBackend: error setting up minio client: %w", err)
 	}
 	return &s3Storage{
 		StorageBackend: &storage.StorageBackend{
 			DestinationPath: opts.RemotePath,
 			Log:             logFunc,
 		},
 		client:       mc,
 		bucket:       opts.BucketName,
 		storageClass: opts.StorageClass,
 		partSize:     opts.PartSize,
 	}, nil
 }
 // Name returns the name of the storage backend
 func (v *s3Storage) Name() string {
 	return "S3"
 }
 // Copy copies the given file to the S3/Minio storage backend.
 func (b *s3Storage) Copy(file string) error {
 	_, name := path.Split(file)
 	putObjectOptions := minio.PutObjectOptions{
 		ContentType:  "application/tar+gzip",
 		StorageClass: b.storageClass,
 	}
 	if b.partSize > 0 {
 		srcFileInfo, err := os.Stat(file)
 		if err != nil {
 			return fmt.Errorf("(*s3Storage).Copy: error reading the local file: %w", err)
 		}
 		_, partSize, _, err := minio.OptimalPartInfo(srcFileInfo.Size(), uint64(b.partSize*1024*1024))
 		if err != nil {
 			return fmt.Errorf("(*s3Storage).Copy: error computing the optimal s3 part size: %w", err)
 		}
 		putObjectOptions.PartSize = uint64(partSize)
 	}
 	if _, err := b.client.FPutObject(context.Background(), b.bucket, filepath.Join(b.DestinationPath, name), file, putObjectOptions); err != nil {
 		if errResp := minio.ToErrorResponse(err); errResp.Message != "" {
 			return fmt.Errorf(
 				"(*s3Storage).Copy: error uploading backup to remote storage: [Message]: '%s', [Code]: %s, [StatusCode]: %d",
 				errResp.Message,
 				errResp.Code,
 				errResp.StatusCode,
 			)
 		}
 		return fmt.Errorf("(*s3Storage).Copy: error uploading backup to remote storage: %w", err)
 	}
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup `%s` to bucket `%s`.", file, b.bucket)
 	return nil
 }
 // Prune rotates away backups according to the configuration and provided deadline for the S3/Minio storage backend.
 func (b *s3Storage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	candidates := b.client.ListObjects(context.Background(), b.bucket, minio.ListObjectsOptions{
 		Prefix:    filepath.Join(b.DestinationPath, pruningPrefix),
 		Recursive: true,
 	})
 	var matches []minio.ObjectInfo
 	var lenCandidates int
 	for candidate := range candidates {
 		lenCandidates++
 		if candidate.Err != nil {
 			return nil, fmt.Errorf(
 				"(*s3Storage).Prune: error looking up candidates from remote storage! %w",
 				candidate.Err,
 			)
 		}
 		if candidate.LastModified.Before(deadline) {
 			matches = append(matches, candidate)
 		}
 	}
 	stats := &storage.PruneStats{
 		Total:  uint(lenCandidates),
 		Pruned: uint(len(matches)),
 	}
 	pruneErr := b.DoPrune(b.Name(), len(matches), lenCandidates, deadline, func() error {
 		objectsCh := make(chan minio.ObjectInfo)
 		go func() {
 			for _, match := range matches {
 				objectsCh <- match
 			}
 			close(objectsCh)
 		}()
 		errChan := b.client.RemoveObjects(context.Background(), b.bucket, objectsCh, minio.RemoveObjectsOptions{})
 		var removeErrors []error
 		for result := range errChan {
 			if result.Err != nil {
 				removeErrors = append(removeErrors, result.Err)
 			}
 		}
 		if len(removeErrors) != 0 {
 			return errors.Join(removeErrors...)
 		}
 		return nil
 	})
 	return stats, pruneErr
 }
--- a/internal/storage/ssh/ssh.go
+++ b/internal/storage/ssh/ssh.go
@@ -0,0 +1,191 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package ssh
 import (
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/offen/docker-volume-backup/internal/storage"
 	"github.com/pkg/sftp"
 	"golang.org/x/crypto/ssh"
 )
 type sshStorage struct {
 	*storage.StorageBackend
 	client     *ssh.Client
 	sftpClient *sftp.Client
 	hostName   string
 }
 // Config allows to configure a SSH backend.
 type Config struct {
 	HostName           string
 	Port               string
 	User               string
 	Password           string
 	IdentityFile       string
 	IdentityPassphrase string
 	RemotePath         string
 }
 // NewStorageBackend creates and initializes a new SSH storage backend.
 func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
 	var authMethods []ssh.AuthMethod
 	if opts.Password != "" {
 		authMethods = append(authMethods, ssh.Password(opts.Password))
 	}
 	if _, err := os.Stat(opts.IdentityFile); err == nil {
 		key, err := os.ReadFile(opts.IdentityFile)
 		if err != nil {
 			return nil, errors.New("NewStorageBackend: error reading the private key")
 		}
 		var signer ssh.Signer
 		if opts.IdentityPassphrase != "" {
 			signer, err = ssh.ParsePrivateKeyWithPassphrase(key, []byte(opts.IdentityPassphrase))
 			if err != nil {
 				return nil, errors.New("NewStorageBackend: error parsing the encrypted private key")
 			}
 			authMethods = append(authMethods, ssh.PublicKeys(signer))
 		} else {
 			signer, err = ssh.ParsePrivateKey(key)
 			if err != nil {
 				return nil, errors.New("NewStorageBackend: error parsing the private key")
 			}
 			authMethods = append(authMethods, ssh.PublicKeys(signer))
 		}
 	}
 	sshClientConfig := &ssh.ClientConfig{
 		User:            opts.User,
 		Auth:            authMethods,
 		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
 	}
 	sshClient, err := ssh.Dial("tcp", fmt.Sprintf("%s:%s", opts.HostName, opts.Port), sshClientConfig)
 	if err != nil {
 		return nil, fmt.Errorf("NewStorageBackend: error creating ssh client: %w", err)
 	}
 	_, _, err = sshClient.SendRequest("keepalive", false, nil)
 	if err != nil {
 		return nil, err
 	}
 	sftpClient, err := sftp.NewClient(sshClient,
 		sftp.UseConcurrentReads(true),
 		sftp.UseConcurrentWrites(true),
 		sftp.MaxConcurrentRequestsPerFile(64),
 	)
 	if err != nil {
 		return nil, fmt.Errorf("NewStorageBackend: error creating sftp client: %w", err)
 	}
 	return &sshStorage{
 		StorageBackend: &storage.StorageBackend{
 			DestinationPath: opts.RemotePath,
 			Log:             logFunc,
 		},
 		client:     sshClient,
 		sftpClient: sftpClient,
 		hostName:   opts.HostName,
 	}, nil
 }
 // Name returns the name of the storage backend
 func (b *sshStorage) Name() string {
 	return "SSH"
 }
 // Copy copies the given file to the SSH storage backend.
 func (b *sshStorage) Copy(file string) error {
 	source, err := os.Open(file)
 	_, name := path.Split(file)
 	if err != nil {
 		return fmt.Errorf("(*sshStorage).Copy: error reading the file to be uploaded: %w", err)
 	}
 	defer source.Close()
 	destination, err := b.sftpClient.Create(filepath.Join(b.DestinationPath, name))
 	if err != nil {
 		return fmt.Errorf("(*sshStorage).Copy: error creating file: %w", err)
 	}
 	defer destination.Close()
 	chunk := make([]byte, 1e9)
 	for {
 		num, err := source.Read(chunk)
 		if err == io.EOF {
 			tot, err := destination.Write(chunk[:num])
 			if err != nil {
 				return fmt.Errorf("(*sshStorage).Copy: error uploading the file: %w", err)
 			}
 			if tot != len(chunk[:num]) {
 				return errors.New("(*sshStorage).Copy: failed to write stream")
 			}
 			break
 		}
 		if err != nil {
 			return fmt.Errorf("(*sshStorage).Copy: error uploading the file: %w", err)
 		}
 		tot, err := destination.Write(chunk[:num])
 		if err != nil {
 			return fmt.Errorf("(*sshStorage).Copy: error uploading the file: %w", err)
 		}
 		if tot != len(chunk[:num]) {
 			return fmt.Errorf("(*sshStorage).Copy: failed to write stream")
 		}
 	}
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup `%s` to '%s' at path '%s'.", file, b.hostName, b.DestinationPath)
 	return nil
 }
 // Prune rotates away backups according to the configuration and provided deadline for the SSH storage backend.
 func (b *sshStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	candidates, err := b.sftpClient.ReadDir(b.DestinationPath)
 	if err != nil {
 		return nil, fmt.Errorf("(*sshStorage).Prune: error reading directory: %w", err)
 	}
 	var matches []string
 	for _, candidate := range candidates {
 		if !strings.HasPrefix(candidate.Name(), pruningPrefix) {
 			continue
 		}
 		if candidate.ModTime().Before(deadline) {
 			matches = append(matches, candidate.Name())
 		}
 	}
 	stats := &storage.PruneStats{
 		Total:  uint(len(candidates)),
 		Pruned: uint(len(matches)),
 	}
 	pruneErr := b.DoPrune(b.Name(), len(matches), len(candidates), deadline, func() error {
 		for _, match := range matches {
 			if err := b.sftpClient.Remove(filepath.Join(b.DestinationPath, match)); err != nil {
 				return fmt.Errorf("(*sshStorage).Prune: error removing file: %w", err)
 			}
 		}
 		return nil
 	})
 	return stats, pruneErr
 }
--- a/internal/storage/storage.go
+++ b/internal/storage/storage.go
@@ -0,0 +1,65 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package storage
 import (
 	"fmt"
 	"time"
 )
 // Backend is an interface for defining functions which all storage providers support.
 type Backend interface {
 	Copy(file string) error
 	Prune(deadline time.Time, pruningPrefix string) (*PruneStats, error)
 	Name() string
 }
 // StorageBackend is a generic type of storage. Everything here are common properties of all storage types.
 type StorageBackend struct {
 	DestinationPath string
 	Log             Log
 }
 type LogLevel int
 const (
 	LogLevelInfo LogLevel = iota
 	LogLevelWarning
 	LogLevelError
 )
 type Log func(logType LogLevel, context string, msg string, params ...any)
 // PruneStats is a wrapper struct for returning stats after pruning
 type PruneStats struct {
 	Total  uint
 	Pruned uint
 }
 // DoPrune holds general control flow that applies to any kind of storage.
 // Callers can pass in a thunk that performs the actual deletion of files.
 func (b *StorageBackend) DoPrune(context string, lenMatches, lenCandidates int, deadline time.Time, doRemoveFiles func() error) error {
 	if lenMatches != 0 && lenMatches != lenCandidates {
 		if err := doRemoveFiles(); err != nil {
 			return err
 		}
 		formattedDeadline, err := deadline.Local().MarshalText()
 		if err != nil {
 			return fmt.Errorf("(*StorageBackend).DoPrune: error marshaling deadline: %w", err)
 		}
 		b.Log(LogLevelInfo, context,
 			"Pruned %d out of %d backups as they were older than the given deadline of %s.",
 			lenMatches,
 			lenCandidates,
 			string(formattedDeadline),
 		)
 	} else if lenMatches != 0 && lenMatches == lenCandidates {
 		b.Log(LogLevelWarning, context, "The current configuration would delete all %d existing backups.", lenMatches)
 		b.Log(LogLevelWarning, context, "Refusing to do so, please check your configuration.")
 	} else {
 		b.Log(LogLevelInfo, context, "None of %d existing backups were pruned.", lenCandidates)
 	}
 	return nil
 }
--- a/internal/storage/webdav/webdav.go
+++ b/internal/storage/webdav/webdav.go
@@ -0,0 +1,120 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package webdav
 import (
 	"errors"
 	"fmt"
 	"io/fs"
 	"net/http"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/offen/docker-volume-backup/internal/storage"
 	"github.com/studio-b12/gowebdav"
 )
 type webDavStorage struct {
 	*storage.StorageBackend
 	client *gowebdav.Client
 	url    string
 }
 // Config allows to configure a WebDAV storage backend.
 type Config struct {
 	URL         string
 	RemotePath  string
 	Username    string
 	Password    string
 	URLInsecure bool
 }
 // NewStorageBackend creates and initializes a new WebDav storage backend.
 func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
 	if opts.Username == "" || opts.Password == "" {
 		return nil, errors.New("NewStorageBackend: WEBDAV_URL is defined, but no credentials were provided")
 	} else {
 		webdavClient := gowebdav.NewClient(opts.URL, opts.Username, opts.Password)
 		if opts.URLInsecure {
 			defaultTransport, ok := http.DefaultTransport.(*http.Transport)
 			if !ok {
 				return nil, errors.New("NewStorageBackend: unexpected error when asserting type for http.DefaultTransport")
 			}
 			webdavTransport := defaultTransport.Clone()
 			webdavTransport.TLSClientConfig.InsecureSkipVerify = opts.URLInsecure
 			webdavClient.SetTransport(webdavTransport)
 		}
 		return &webDavStorage{
 			StorageBackend: &storage.StorageBackend{
 				DestinationPath: opts.RemotePath,
 				Log:             logFunc,
 			},
 			client: webdavClient,
 		}, nil
 	}
 }
 // Name returns the name of the storage backend
 func (b *webDavStorage) Name() string {
 	return "WebDAV"
 }
 // Copy copies the given file to the WebDav storage backend.
 func (b *webDavStorage) Copy(file string) error {
 	_, name := path.Split(file)
 	if err := b.client.MkdirAll(b.DestinationPath, 0644); err != nil {
 		return fmt.Errorf("(*webDavStorage).Copy: error creating directory '%s' on server: %w", b.DestinationPath, err)
 	}
 	r, err := os.Open(file)
 	if err != nil {
 		return fmt.Errorf("(*webDavStorage).Copy: error opening the file to be uploaded: %w", err)
 	}
 	if err := b.client.WriteStream(filepath.Join(b.DestinationPath, name), r, 0644); err != nil {
 		return fmt.Errorf("(*webDavStorage).Copy: error uploading the file: %w", err)
 	}
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup '%s' to '%s' at path '%s'.", file, b.url, b.DestinationPath)
 	return nil
 }
 // Prune rotates away backups according to the configuration and provided deadline for the WebDav storage backend.
 func (b *webDavStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	candidates, err := b.client.ReadDir(b.DestinationPath)
 	if err != nil {
 		return nil, fmt.Errorf("(*webDavStorage).Prune: error looking up candidates from remote storage: %w", err)
 	}
 	var matches []fs.FileInfo
 	var lenCandidates int
 	for _, candidate := range candidates {
 		if !strings.HasPrefix(candidate.Name(), pruningPrefix) {
 			continue
 		}
 		lenCandidates++
 		if candidate.ModTime().Before(deadline) {
 			matches = append(matches, candidate)
 		}
 	}
 	stats := &storage.PruneStats{
 		Total:  uint(lenCandidates),
 		Pruned: uint(len(matches)),
 	}
 	pruneErr := b.DoPrune(b.Name(), len(matches), lenCandidates, deadline, func() error {
 		for _, match := range matches {
 			if err := b.client.Remove(filepath.Join(b.DestinationPath, match.Name())); err != nil {
 				return fmt.Errorf("(*webDavStorage).Prune: error removing file: %w", err)
 			}
 		}
 		return nil
 	})
 	return stats, pruneErr
 }
--- a/test/Dockerfile
+++ b/test/Dockerfile
@@ -0,0 +1,13 @@
 FROM docker:24-dind
 RUN apk add \
  coreutils \
  curl \
  gpg \
  jq \
  moreutils \
  tar \
  zstd \
  --no-cache
 WORKDIR /code/test
--- a/test/README.md
+++ b/test/README.md
@@ -0,0 +1,70 @@
 # Integration Tests
 ## Running tests
 The main entry point for running tests is the `./test.sh` script.
 It can be used to run the entire test suite, or just a single test case.
 ### Run all tests
 ```sh
 ./test.sh
 ```
 ### Run a single test case
 ```sh
 ./test.sh <directory-name>
 ```
 ### Configuring a test run
 In addition to the match pattern, which can be given as the first positional argument, certain behavior can be changed by setting environment variables:
 #### `BUILD_IMAGE`
 When set, the test script will build an up-to-date `docker-volume-backup` image from the current state of your source tree, and run the tests against it.
 ```sh
 BUILD_IMAGE=1 ./test.sh
 ```
 The default behavior is not to build an image, and instead look for a version on your host system.
 #### `IMAGE_TAG`
 Setting this value lets you run tests against different existing images, so you can compare behavior:
 ```sh
 IMAGE_TAG=v2.30.0 ./test.sh
 ```
 #### `NO_IMAGE_CACHE`
 When set, images from remote registries will not be cached and shared between sandbox containers.
 ```sh
 NO_IMAGE_CACHE=1 ./test.sh
 ```
 By default, two local images are created that persist the image data and provide it to containers at runtime.
 ## Understanding the test setup
 The test setup runs each test case in an isolated Docker container, which itself is running an otherwise unused Docker daemon.
 This means, tests can rely on noone else using that daemon, making expectations about the number of running containers and so forth.
 As the sandbox container is also expected to be torn down post test, the scripts do not need to do any clean up or similar.
 ## Anatomy of a test case
 The `test.sh` script looks for an exectuable file called `run.sh` in each directory.
 When found, it is executed and signals success by returning a 0 exit code.
 Any other exit code is considered a failure and will halt execution of further tests.
 There is an `util.sh` file containing a few commonly used helpers which can be used by putting the following prelude to a new test case:
 ```sh
 cd "$(dirname "$0")"
 . ../util.sh
 current_test=$(basename $(pwd))
 ```
--- a/test/azure/docker-compose.yml
+++ b/test/azure/docker-compose.yml
@@ -0,0 +1,56 @@
 version: '3'
 services:
  storage:
    image: mcr.microsoft.com/azure-storage/azurite:3.26.0
    volumes:
      - ${DATA_DIR:-./data}:/data
    command: azurite-blob --blobHost 0.0.0.0 --blobPort 10000 --location /data
    healthcheck:
      test: nc 127.0.0.1 10000 -z
      interval: 1s
      retries: 30
  az_cli:
    image: mcr.microsoft.com/azure-cli:2.51.0
    volumes:
      - ${LOCAL_DIR:-./local}:/dump
    command:
      - /bin/sh
      - -c
      - |
          az storage container create --name test-container
    depends_on:
      storage:
        condition: service_healthy
    environment:
      AZURE_STORAGE_CONNECTION_STRING: DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://storage:10000/devstoreaccount1;
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    hostname: hostnametoken
    restart: always
    environment:
      AZURE_STORAGE_ACCOUNT_NAME: devstoreaccount1
      AZURE_STORAGE_PRIMARY_ACCOUNT_KEY: Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==
      AZURE_STORAGE_CONTAINER_NAME: test-container
      AZURE_STORAGE_ENDPOINT: http://storage:10000/{{ .AccountName }}/
      AZURE_STORAGE_PATH: 'path/to/backup'
      BACKUP_FILENAME: test.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
      BACKUP_PRUNING_LEEWAY: 5s
      BACKUP_PRUNING_PREFIX: test
    volumes:
      - app_data:/backup/app_data:ro
      - /var/run/docker.sock:/var/run/docker.sock
  offen:
    image: offen/offen:latest
    labels:
      - docker-volume-backup.stop-during-backup=true
    volumes:
      - app_data:/var/opt/offen
 volumes:
  app_data:
--- a/test/azure/run.sh
+++ b/test/azure/run.sh
@@ -0,0 +1,86 @@
 #!/bin/sh
 set -e
 cd "$(dirname "$0")"
 . ../util.sh
 current_test=$(basename $(pwd))
 export LOCAL_DIR=$(mktemp -d)
 export TMP_DIR=$(mktemp -d)
 export DATA_DIR=$(mktemp -d)
 download_az () {
  docker compose run --rm az_cli \
    az storage blob download -f /dump/$1.tar.gz -c test-container -n path/to/backup/$1.tar.gz
 }
 docker compose up -d --quiet-pull
 sleep 5
 docker compose exec backup backup
 sleep 5
 expect_running_containers "3"
 download_az "test"
 tar -xvf "$LOCAL_DIR/test.tar.gz" -C $TMP_DIR
 if [ ! -f "$TMP_DIR/backup/app_data/offen.db" ]; then
  fail "Could not find expeced file in untared backup"
 fi
 pass "Found relevant files in untared remote backups."
 rm "$LOCAL_DIR/test.tar.gz"
 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
 BACKUP_RETENTION_DAYS="0" docker compose up -d
 sleep 5
 docker compose exec backup backup
 download_az "test"
 if [ ! -f "$LOCAL_DIR/test.tar.gz" ]; then
  fail "Remote backup was deleted"
 fi
 pass "Remote backups have not been deleted."
 # The third part of this test checks if old backups get deleted when the retention
 # is set to 7 days (which it should)
 BACKUP_RETENTION_DAYS="7" docker compose up -d
 sleep 5
 info "Create first backup with no prune"
 docker compose exec backup backup
 docker compose run --rm az_cli \
    az storage blob upload -f /dump/test.tar.gz -c test-container -n path/to/backup/test-old.tar.gz
 docker compose down
 rm "$LOCAL_DIR/test.tar.gz"
 back_date="$(date "+%Y-%m-%dT%H:%M:%S%z" -d "14 days ago" | rev | cut -c 3- | rev):00"
 jq --arg back_date "$back_date" '(.collections[] | select(.name=="$BLOBS_COLLECTION$") | .data[] | select(.name=="path/to/backup/test-old.tar.gz") | .properties.creationTime = $back_date)' "$DATA_DIR/__azurite_db_blob__.json" | sponge "$DATA_DIR/__azurite_db_blob__.json"
 docker compose up -d
 sleep 5
 info "Create second backup and prune"
 docker compose exec backup backup
 info "Download first backup which should be pruned"
 download_az "test-old" || true
 if [ -f "$LOCAL_DIR/test-old.tar.gz" ]; then
  fail "Backdated file was not deleted"
 fi
 download_az "test" || true
 if [ ! -f "$LOCAL_DIR/test.tar.gz" ]; then
  fail "Recent file was not found"
 fi
 pass "Old remote backup has been pruned, new one is still present."
--- a/test/certs/docker-compose.yml
+++ b/test/certs/docker-compose.yml
@@ -0,0 +1,48 @@
 version: '3'
 services:
  minio:
    hostname: minio.local
    image: minio/minio:RELEASE.2020-08-04T23-10-51Z
    environment:
      MINIO_ROOT_USER: test
      MINIO_ROOT_PASSWORD: test
      MINIO_ACCESS_KEY: test
      MINIO_SECRET_KEY: GMusLtUmILge2by+z890kQ
    entrypoint: /bin/ash -c 'mkdir -p /data/backup && minio server --certs-dir "/certs" --address ":443" /data'
    volumes:
      - minio_backup_data:/data
      - ${CERT_DIR:-.}/minio.crt:/certs/public.crt
      - ${CERT_DIR:-.}/minio.key:/certs/private.key
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    depends_on:
      - minio
    restart: always
    environment:
      BACKUP_FILENAME: test.tar.gz
      AWS_ACCESS_KEY_ID: test
      AWS_SECRET_ACCESS_KEY: GMusLtUmILge2by+z890kQ
      AWS_ENDPOINT: minio.local:443
      AWS_ENDPOINT_CA_CERT: /root/minio-rootCA.crt
      AWS_S3_BUCKET_NAME: backup
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
      BACKUP_PRUNING_LEEWAY: 5s
    volumes:
      - app_data:/backup/app_data:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - ${CERT_DIR:-.}/rootCA.crt:/root/minio-rootCA.crt
  offen:
    image: offen/offen:latest
    labels:
      - docker-volume-backup.stop-during-backup=true
    volumes:
      - app_data:/var/opt/offen
 volumes:
  minio_backup_data:
    name: minio_backup_data
  app_data:
--- a/test/certs/run.sh
+++ b/test/certs/run.sh
@@ -0,0 +1,43 @@
 #!/bin/sh
 set -e
 cd "$(dirname "$0")"
 . ../util.sh
 current_test=$(basename $(pwd))
 export CERT_DIR=$(mktemp -d)
 openssl genrsa -des3 -passout pass:test -out "$CERT_DIR/rootCA.key" 4096
 openssl req -passin pass:test \
  -subj "/C=DE/ST=BE/O=IntegrationTest, Inc." \
  -x509 -new -key "$CERT_DIR/rootCA.key" -sha256 -days 1 -out "$CERT_DIR/rootCA.crt"
 openssl genrsa -out "$CERT_DIR/minio.key" 4096
 openssl req -new -sha256 -key "$CERT_DIR/minio.key" \
  -subj "/C=DE/ST=BE/O=IntegrationTest, Inc./CN=minio" \
  -out "$CERT_DIR/minio.csr"
 openssl x509 -req -passin pass:test \
  -in "$CERT_DIR/minio.csr" \
  -CA "$CERT_DIR/rootCA.crt" -CAkey "$CERT_DIR/rootCA.key" -CAcreateserial \
  -extfile san.cnf \
  -out "$CERT_DIR/minio.crt" -days 1 -sha256
 openssl x509 -in "$CERT_DIR/minio.crt" -noout -text
 docker compose up -d --quiet-pull
 sleep 5
 docker compose exec backup backup
 sleep 5
 expect_running_containers "3"
 docker run --rm \
  -v minio_backup_data:/minio_data \
  alpine \
  ash -c 'tar -xvf /minio_data/backup/test.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db'
 pass "Found relevant files in untared remote backups."
--- a/test/certs/san.cnf
+++ b/test/certs/san.cnf
@@ -0,0 +1 @@
 subjectAltName = DNS:minio.local
--- a/test/cli/run.sh
+++ b/test/cli/run.sh
@@ -3,12 +3,17 @@
 set -e
 cd $(dirname $0)
 . ../util.sh
 current_test=$(basename $(pwd))
 docker network create test_network
 docker volume create backup_data
 docker volume create app_data
 # This volume is created to test whether empty directories are handled
 # correctly. It is not supposed to hold any data.
 docker volume create empty_data
-docker run -d \
+docker run -d -q \
  --name minio \
  --network test_network \
  --env MINIO_ROOT_USER=test \
@@ -20,18 +25,18 @@ docker run -d \
 docker exec minio mkdir -p /data/backup
-docker run -d \
+docker run -d -q \
  --name offen \
  --network test_network \
  --label "docker-volume-backup.stop-during-backup=true" \
  -v app_data:/var/opt/offen/ \
  offen/offen:latest
 sleep 10
-docker run --rm \
+docker run --rm -q \
  --network test_network \
  -v app_data:/backup/app_data \
  -v empty_data:/backup/empty_data \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --env AWS_ACCESS_KEY_ID=test \
  --env AWS_SECRET_ACCESS_KEY=GMusLtUmILge2by+z890kQ \
@@ -39,23 +44,20 @@ docker run --rm \
  --env AWS_ENDPOINT_PROTO=http \
  --env AWS_S3_BUCKET_NAME=backup \
  --env BACKUP_FILENAME=test.tar.gz \
  --env "BACKUP_FROM_SNAPSHOT=true" \
  --entrypoint backup \
-  offen/docker-volume-backup:$TEST_VERSION
+  offen/docker-volume-backup:${TEST_VERSION:-canary}
-docker run --rm -it \
+docker run --rm -q \
  -v backup_data:/data alpine \
-  ash -c 'tar -xvf /data/backup/test.tar.gz && test -f /backup/app_data/offen.db'
+  ash -c 'tar -xvf /data/backup/test.tar.gz && test -f /backup/app_data/offen.db && test -d /backup/empty_data'
-echo "[TEST:PASS] Found relevant files in untared backup."
+pass "Found relevant files in untared remote backup."
-if [ "$(docker ps -q | wc -l)" != "2" ]; then
+# This test does not stop containers during backup. This is happening on
-  echo "[TEST:FAIL] Expected all containers to be running post backup, instead seen:"
+# purpose in order to cover this setup as well.
-  docker ps
+expect_running_containers "2"
  exit 1
 fi
-echo "[TEST:PASS] All containers running post backup."
+docker rm $(docker stop minio offen)
 docker rm $(docker stop minio offen backup)
 docker volume rm backup_data app_data
 docker network rm test_network
--- a/test/collision/docker-compose.yml
+++ b/test/collision/docker-compose.yml
@@ -0,0 +1,28 @@
 # Copyright 2020-2021 - Offen Authors <hioffen@posteo.de>
 # SPDX-License-Identifier: Unlicense
 version: '3.8'
 services:
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    environment:
      BACKUP_FILENAME: test.tar.gz
    volumes:
      - offen_data:/backup/offen_data:ro
      - ${LOCAL_DIR:-./local}:/archive
      - /var/run/docker.sock:/var/run/docker.sock
  offen:
    image: offen/offen:latest
    labels:
      - docker-volume-backup.stop-during-backup=true
    deploy:
      labels:
        - docker-volume-backup.stop-during-backup=true
      replicas: 2
    volumes:
      - offen_data:/var/opt/offen
 volumes:
  offen_data:
--- a/test/collision/run.sh
+++ b/test/collision/run.sh
@@ -0,0 +1,34 @@
 #!/bin/sh
 set -e
 cd $(dirname $0)
 . ../util.sh
 current_test=$(basename $(pwd))
 export LOCAL_DIR=$(mktemp -d)
 docker swarm init
 docker stack deploy --compose-file=docker-compose.yml test_stack
 while [ -z $(docker ps -q -f name=backup) ]; do
  info "Backup container not ready yet. Retrying."
  sleep 1
 done
 sleep 20
 set +e
 docker exec $(docker ps -q -f name=backup) backup
 if [ $? = "0" ]; then
  fail "Expected script to exit with error code."
 fi
 if [ -f "${LOCAL_DIR}/test.tar.gz" ]; then
  fail "Found backup file that should not have been created."
 fi
 expect_running_containers "3"
 pass "Script did not perform backup as there was a label collision."
--- a/test/commands/docker-compose.yml
+++ b/test/commands/docker-compose.yml
@@ -0,0 +1,50 @@
 version: '3.8'
 services:
  database:
    image: mariadb:10.7
    deploy:
      restart_policy:
        condition: on-failure
    environment:
      MARIADB_ROOT_PASSWORD: test
      MARIADB_DATABASE: backup
    labels:
      # this is testing the deprecated label on purpose
      - docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump -ptest --all-databases > /tmp/volume/dump.sql'
      - docker-volume-backup.copy-post=/bin/sh -c 'echo "post" > /tmp/volume/post.txt'
      - docker-volume-backup.exec-label=test
    volumes:
      - app_data:/tmp/volume
  other_database:
    image: mariadb:10.7
    deploy:
      restart_policy:
        condition: on-failure
    environment:
      MARIADB_ROOT_PASSWORD: test
      MARIADB_DATABASE: backup
    labels:
      - docker-volume-backup.archive-pre=touch /tmp/volume/not-relevant.txt
      - docker-volume-backup.exec-label=not-relevant
    volumes:
      - app_data:/tmp/volume
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    deploy:
      restart_policy:
        condition: on-failure
    environment:
      BACKUP_FILENAME: test.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      EXEC_LABEL: test
      EXEC_FORWARD_OUTPUT: "true"
    volumes:
      - ${LOCAL_DIR:-./local}:/archive
      - app_data:/backup/data:ro
      - /var/run/docker.sock:/var/run/docker.sock
 volumes:
  app_data:
--- a/test/commands/run.sh
+++ b/test/commands/run.sh
@@ -0,0 +1,62 @@
 #!/bin/sh
 set -e
 cd $(dirname $0)
 . ../util.sh
 current_test=$(basename $(pwd))
 export LOCAL_DIR=$(mktemp -d)
 export TMP_DIR=$(mktemp -d)
 docker compose up -d --quiet-pull
 sleep 30 # mariadb likes to take a bit before responding
 docker compose exec backup backup
 tar -xvf "$LOCAL_DIR/test.tar.gz" -C $TMP_DIR
 if [ ! -f "$TMP_DIR/backup/data/dump.sql" ]; then
  fail "Could not find file written by pre command."
 fi
 pass "Found expected file."
 if [ -f "$TMP_DIR/backup/data/not-relevant.txt" ]; then
  fail "Command ran for container with other label."
 fi
 pass "Command did not run for container with other label."
 if [ -f "$TMP_DIR/backup/data/post.txt" ]; then
  fail "File created in post command was present in backup."
 fi
 pass "Did not find unexpected file."
 docker compose down --volumes
 info "Running commands test in swarm mode next."
 export LOCAL_DIR=$(mktemp -d)
 export TMP_DIR=$(mktemp -d)
 docker swarm init
 docker stack deploy --compose-file=docker-compose.yml test_stack
 while [ -z $(docker ps -q -f name=backup) ]; do
  info "Backup container not ready yet. Retrying."
  sleep 1
 done
 sleep 20
 docker exec $(docker ps -q -f name=backup) backup
 tar -xvf "$LOCAL_DIR/test.tar.gz" -C $TMP_DIR
 if [ ! -f "$TMP_DIR/backup/data/dump.sql" ]; then
  fail "Could not find file written by pre command."
 fi
 pass "Found expected file."
 if [ -f "$TMP_DIR/backup/data/post.txt" ]; then
  fail "File created in post command was present in backup."
 fi
 pass "Did not find unexpected file."
--- a/test/compose/.gitignore
+++ b/test/compose/.gitignore
@@ -1 +0,0 @@
 local
--- a/test/compose/run.sh
+++ b/test/compose/run.sh
@@ -1,58 +0,0 @@
 #!/bin/sh
 set -e
 cd $(dirname $0)
 mkdir -p local
 docker-compose up -d
 sleep 5
 docker-compose exec offen ln -s /var/opt/offen/offen.db /var/opt/offen/db.link
 docker-compose exec backup backup
 docker run --rm -it \
  -v compose_backup_data:/data alpine \
  ash -c 'apk add gnupg && echo 1234secret | gpg -d --pinentry-mode loopback --passphrase-fd 0 --yes /data/backup/test.tar.gz.gpg > /tmp/test.tar.gz && tar -xf /tmp/test.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db'
 echo "[TEST:PASS] Found relevant files in untared remote backup."
 test -L ./local/test.latest.tar.gz.gpg
 echo 1234secret | gpg -d --yes --passphrase-fd 0 ./local/test.tar.gz.gpg > ./local/decrypted.tar.gz
 tar -xf ./local/decrypted.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db
 rm ./local/decrypted.tar.gz
 test -L /tmp/backup/app_data/db.link
 echo "[TEST:PASS] Found relevant files in untared local backup."
 if [ "$(docker-compose ps -q | wc -l)" != "3" ]; then
  echo "[TEST:FAIL] Expected all containers to be running post backup, instead seen:"
  docker-compose ps
  exit 1
 fi
 echo "[TEST:PASS] All containers running post backup."
 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
 # TODO: find out if we can test actual deletion without having to wait for a day
 BACKUP_RETENTION_DAYS="0" docker-compose up -d
 sleep 5
 docker-compose exec backup backup
 docker run --rm -it \
  -v compose_backup_data:/data alpine \
  ash -c '[ $(find /data/backup/ -type f | wc -l) = "1" ]'
 echo "[TEST:PASS] Remote backups have not been deleted."
 if [ "$(find ./local -type f | wc -l)" != "1" ]; then
  echo "[TEST:FAIL] Backups should not have been deleted, instead seen:"
  find ./local -type f
 fi
 echo "[TEST:PASS] Local backups have not been deleted."
 docker-compose down --volumes
--- a/test/confd/01backup.env
+++ b/test/confd/01backup.env
@@ -0,0 +1,2 @@
 BACKUP_FILENAME="conf.tar.gz"
 BACKUP_CRON_EXPRESSION="*/1 * * * *"
--- a/test/confd/02backup.env
+++ b/test/confd/02backup.env
@@ -0,0 +1,2 @@
 BACKUP_FILENAME="other.tar.gz"
 BACKUP_CRON_EXPRESSION="*/1 * * * *"
--- a/test/confd/03never.env
+++ b/test/confd/03never.env
@@ -0,0 +1,2 @@
 BACKUP_FILENAME="never.tar.gz"
 BACKUP_CRON_EXPRESSION="0 0 5 31 2 ?"
--- a/test/confd/docker-compose.yml
+++ b/test/confd/docker-compose.yml
@@ -0,0 +1,23 @@
 version: '3'
 services:
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    restart: always
    volumes:
      - ${LOCAL_DIR:-./local}:/archive
      - app_data:/backup/app_data:ro
      - ./01backup.env:/etc/dockervolumebackup/conf.d/01backup.env
      - ./02backup.env:/etc/dockervolumebackup/conf.d/02backup.env
      - ./03never.env:/etc/dockervolumebackup/conf.d/03never.env
      - /var/run/docker.sock:/var/run/docker.sock
  offen:
    image: offen/offen:latest
    labels:
      - docker-volume-backup.stop-during-backup=true
    volumes:
      - app_data:/var/opt/offen
 volumes:
  app_data:
--- a/test/confd/run.sh
+++ b/test/confd/run.sh
@@ -0,0 +1,31 @@
 #!/bin/sh
 set -e
 cd $(dirname $0)
 . ../util.sh
 current_test=$(basename $(pwd))
 export LOCAL_DIR=$(mktemp -d)
 docker compose up -d --quiet-pull
 # sleep until a backup is guaranteed to have happened on the 1 minute schedule
 sleep 100
 docker compose logs backup
 if [ ! -f "$LOCAL_DIR/conf.tar.gz" ]; then
  fail "Config from file was not used."
 fi
 pass "Config from file was used."
 if [ ! -f "$LOCAL_DIR/other.tar.gz" ]; then
  fail "Run on same schedule did not succeed."
 fi
 pass "Run on same schedule succeeded."
 if [ -f "$LOCAL_DIR/never.tar.gz" ]; then
  fail "Unexpected file was found."
 fi
 pass "Unexpected cron did not run."
--- a/test/dropbox/.gitignore
+++ b/test/dropbox/.gitignore
@@ -0,0 +1 @@
 user_v2_ready.yaml
--- a/test/dropbox/docker-compose.yml
+++ b/test/dropbox/docker-compose.yml
@@ -0,0 +1,57 @@
 version: '3'
 services:
  openapi_mock:
    image: muonsoft/openapi-mock:0.3.9
    environment:
      OPENAPI_MOCK_USE_EXAMPLES: if_present
      OPENAPI_MOCK_SPECIFICATION_URL: '/etc/openapi/user_v2.yaml'
    ports:
      - 8080:8080
    volumes:
      - ${SPEC_FILE:-./user_v2.yaml}:/etc/openapi/user_v2.yaml
  oauth2_mock:
    image: ghcr.io/navikt/mock-oauth2-server:1.0.0
    ports:
      - 8090:8090
    environment:
      PORT: 8090
      JSON_CONFIG_PATH: '/etc/oauth2/config.json'
    volumes:
      - ./oauth2_config.json:/etc/oauth2/config.json
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    hostname: hostnametoken
    depends_on:
      - openapi_mock
      - oauth2_mock
    restart: always
    environment:
      BACKUP_FILENAME_EXPAND: 'true'
      BACKUP_FILENAME: test-$$HOSTNAME.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
      BACKUP_PRUNING_LEEWAY: 5s
      BACKUP_PRUNING_PREFIX: test
      DROPBOX_ENDPOINT: http://openapi_mock:8080
      DROPBOX_OAUTH2_ENDPOINT: http://oauth2_mock:8090
      DROPBOX_REFRESH_TOKEN: test
      DROPBOX_APP_KEY: test
      DROPBOX_APP_SECRET: test
      DROPBOX_REMOTE_PATH: /test
      DROPBOX_CONCURRENCY_LEVEL: 6
    volumes:
      - app_data:/backup/app_data:ro
      - /var/run/docker.sock:/var/run/docker.sock
  offen:
    image: offen/offen:latest
    labels:
      - docker-volume-backup.stop-during-backup=true
    volumes:
      - app_data:/var/opt/offen
 volumes:
  app_data:
--- a/test/dropbox/oauth2_config.json
+++ b/test/dropbox/oauth2_config.json
@@ -0,0 +1,37 @@
 {
   "interactiveLogin": true,
   "httpServer": "NettyWrapper",
   "tokenCallbacks": [
       {
           "issuerId": "issuer1",
           "tokenExpiry": 120,
           "requestMappings": [
               {
                   "requestParam": "scope",
                   "match": "scope1",
                   "claims": {
                       "sub": "subByScope",
                       "aud": [
                           "audByScope"
                       ]
                   }
               }
           ]
       },
       {
           "issuerId": "issuer2",
           "requestMappings": [
               {
                   "requestParam": "someparam",
                   "match": "somevalue",
                   "claims": {
                       "sub": "subBySomeParam",
                       "aud": [
                           "audBySomeParam"
                       ]
                   }
               }
           ]
       }
   ]
 }
--- a/test/dropbox/run.sh
+++ b/test/dropbox/run.sh
@@ -0,0 +1,61 @@
 #!/bin/sh
 set -e
 cd "$(dirname "$0")"
 . ../util.sh
 current_test=$(basename $(pwd))
 export SPEC_FILE=$(mktemp -d)/user_v2.yaml
 cp user_v2.yaml $SPEC_FILE
 sed -i 's/SERVER_MODIFIED_1/'"$(date "+%Y-%m-%dT%H:%M:%SZ")/g" $SPEC_FILE
 sed -i 's/SERVER_MODIFIED_2/'"$(date "+%Y-%m-%dT%H:%M:%SZ" -d "14 days ago")/g" $SPEC_FILE
 docker compose up -d --quiet-pull
 sleep 5
 logs=$(docker compose exec -T backup backup)
 sleep 5
 expect_running_containers "4"
 echo "$logs"
 if echo "$logs" | grep -q "ERROR"; then
  fail "Backup failed, errors reported: $logs"
 else
  pass "Backup succeeded, no errors reported."
 fi
 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
 BACKUP_RETENTION_DAYS="0" docker compose up -d
 sleep 5
 logs=$(docker compose exec -T backup backup)
 echo "$logs"
 if echo "$logs" | grep -q "Refusing to do so, please check your configuration"; then
  pass "Remote backups have not been deleted."
 else
  fail "Remote backups would have been deleted: $logs"
 fi
 # The third part of this test checks if old backups get deleted when the retention
 # is set to 7 days (which it should)
 BACKUP_RETENTION_DAYS="7" docker compose up -d
 sleep 5
 info "Create second backup and prune"
 logs=$(docker compose exec -T backup backup)
 echo "$logs"
 if echo "$logs" | grep -q "Pruned 1 out of 2 backups as they were older"; then
  pass "Old remote backup has been pruned, new one is still present."
 elif echo "$logs" | grep -q "ERROR"; then
  fail "Pruning failed, errors reported: $logs"
 elif echo "$logs" | grep -q "None of 1 existing backups were pruned"; then
  fail "Pruning failed, old backup has not been pruned: $logs"
 else
  fail "Pruning failed, unknown result: $logs"
 fi
--- a/test/dropbox/user_v2.yaml
+++ b/test/dropbox/user_v2.yaml
--- a/test/extend/Dockerfile
+++ b/test/extend/Dockerfile
@@ -0,0 +1,4 @@
 ARG version=canary
 FROM offen/docker-volume-backup:$version
 RUN apk add rsync
--- a/test/extend/docker-compose.yml
+++ b/test/extend/docker-compose.yml
@@ -0,0 +1,26 @@
 version: '3'
 services:
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    restart: always
    labels:
      - docker-volume-backup.copy-post=/bin/sh -c 'mkdir -p /tmp/unpack && tar -xvf $$COMMAND_RUNTIME_ARCHIVE_FILEPATH -C /tmp/unpack && rsync -r /tmp/unpack/backup/app_data /local'
    environment:
      BACKUP_FILENAME: test.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      EXEC_FORWARD_OUTPUT: "true"
    volumes:
      - ${LOCAL_DIR:-local}:/local
      - app_data:/backup/app_data:ro
      - /var/run/docker.sock:/var/run/docker.sock
  offen:
    image: offen/offen:latest
    labels:
      - docker-volume-backup.stop-during-backup=true
    volumes:
      - app_data:/var/opt/offen
 volumes:
  app_data:
--- a/test/extend/run.sh
+++ b/test/extend/run.sh
@@ -0,0 +1,27 @@
 #!/bin/sh
 set -e
 cd "$(dirname "$0")"
 . ../util.sh
 current_test=$(basename $(pwd))
 export LOCAL_DIR=$(mktemp -d)
 export BASE_VERSION="${TEST_VERSION:-canary}"
 export TEST_VERSION="${TEST_VERSION:-canary}-with-rsync"
 docker build . -t offen/docker-volume-backup:$TEST_VERSION --build-arg version=$BASE_VERSION
 docker compose up -d --quiet-pull
 sleep 5
 docker compose exec backup backup
 sleep 5
 expect_running_containers "2"
 if [ ! -f "$LOCAL_DIR/app_data/offen.db" ]; then
  fail "Could not find expected file in untared archive."
 fi
--- a/test/gpg/docker-compose.yml
+++ b/test/gpg/docker-compose.yml
@@ -0,0 +1,26 @@
 version: '3'
 services:
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    restart: always
    environment:
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      BACKUP_FILENAME: test.tar.gz
      BACKUP_LATEST_SYMLINK: test-latest.tar.gz.gpg
      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
      GPG_PASSPHRASE: 1234#$$ecret
    volumes:
      - ${LOCAL_DIR:-./local}:/archive
      - app_data:/backup/app_data:ro
      - /var/run/docker.sock:/var/run/docker.sock
  offen:
    image: offen/offen:latest
    labels:
      - docker-volume-backup.stop-during-backup=true
    volumes:
      - app_data:/var/opt/offen
 volumes:
  app_data:
--- a/test/gpg/run.sh
+++ b/test/gpg/run.sh
@@ -0,0 +1,32 @@
 #!/bin/sh
 set -e
 cd "$(dirname "$0")"
 . ../util.sh
 current_test=$(basename $(pwd))
 export LOCAL_DIR=$(mktemp -d)
 docker compose up -d --quiet-pull
 sleep 5
 docker compose exec backup backup
 expect_running_containers "2"
 TMP_DIR=$(mktemp -d)
 echo "1234#\$ecret" | gpg -d --pinentry-mode loopback --yes --passphrase-fd 0 "$LOCAL_DIR/test.tar.gz.gpg" > "$LOCAL_DIR/decrypted.tar.gz"
 tar -xf "$LOCAL_DIR/decrypted.tar.gz" -C $TMP_DIR
 if [ ! -f $TMP_DIR/backup/app_data/offen.db ]; then
  fail "Could not find expected file in untared archive."
 fi
 rm "$LOCAL_DIR/decrypted.tar.gz"
 pass "Found relevant files in decrypted and untared local backup."
 if [ ! -L "$LOCAL_DIR/test-latest.tar.gz.gpg" ]; then
  fail "Could not find local symlink to latest encrypted backup."
 fi
--- a/test/ignore/docker-compose.yml
+++ b/test/ignore/docker-compose.yml
@@ -0,0 +1,15 @@
 version: '3.8'
 services:
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    deploy:
      restart_policy:
        condition: on-failure
    environment:
      BACKUP_FILENAME: test.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      BACKUP_EXCLUDE_REGEXP: '\.(me|you)$$'
    volumes:
      - ${LOCAL_DIR:-./local}:/archive
      - ./sources:/backup/data:ro
--- a/test/ignore/run.sh
+++ b/test/ignore/run.sh
@@ -0,0 +1,26 @@
 #!/bin/sh
 set -e
 cd $(dirname $0)
 . ../util.sh
 current_test=$(basename $(pwd))
 export LOCAL_DIR=$(mktemp -d)
 docker compose up -d --quiet-pull
 sleep 5
 docker compose exec backup backup
 TMP_DIR=$(mktemp -d)
 tar --same-owner -xvf "$LOCAL_DIR/test.tar.gz" -C "$TMP_DIR"
 if [ ! -f "$TMP_DIR/backup/data/me.txt" ]; then
  fail "Expected file was not found."
 fi
 pass "Expected file was found."
 if [ -f "$TMP_DIR/backup/data/skip.me" ]; then
  fail "Ignored file was found."
 fi
 pass "Ignored file was not found."
--- a/test/ignore/sources/me.txt
+++ b/test/ignore/sources/me.txt
--- a/test/ignore/sources/skip.me
+++ b/test/ignore/sources/skip.me
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`BACKUP_FILENAME="conf.tar.gz"`
							`BACKUP_CRON_EXPRESSION="/1 * * *"`
		`@@ -0,0 +1,2 @@`
							`BACKUP_FILENAME="other.tar.gz"`
							`BACKUP_CRON_EXPRESSION="/1 * * *"`
		`@@ -0,0 +1,2 @@`
							`BACKUP_FILENAME="never.tar.gz"`
							`BACKUP_CRON_EXPRESSION="0 0 5 31 2 ?"`