Update existing tests and test actual pruning

Passing a full duration as retention period is more flexible
2026-01-03 22:32:15 +01:00 · 2025-02-06 17:40:45 +01:00 · 2025-02-06 15:33:08 +01:00
56 changed files with 310 additions and 382 deletions
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -18,7 +18,7 @@ jobs:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
-          go-version: '1.24'
+          go-version: '1.23'
          cache: false
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
@@ -26,7 +26,7 @@ jobs:
          # Require: The version of golangci-lint to use.
          # When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version.
          # When `install-mode` is `goinstall` the value can be v1.2.3, `latest`, or the hash of a commit.
-          version: v1.64
+          version: v1.60

          # Optional: working directory, useful for monorepos
          # working-directory: somedir
--- a/.github/workflows/unit.yml
+++ b/.github/workflows/unit.yml
@@ -14,7 +14,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v4
        with:
-          go-version: '1.24.x'
+          go-version: '1.23.x'
      - name: Install dependencies
        run: go mod download
      - name: Test with the Go CLI
--- a/2
+++ b/2
@@ -1,7 +1,7 @@
 # Copyright 2022 - offen.software <hioffen@posteo.de>
 # SPDX-License-Identifier: MPL-2.0

-FROM golang:1.24-alpine AS builder
+FROM golang:1.23-alpine as builder

 WORKDIR /app
 COPY . .
--- a/cmd/backup/config.go
+++ b/cmd/backup/config.go
@@ -38,6 +38,7 @@ type Config struct {
 	BackupArchive                 string          `split_words:"true" default:"/archive"`
 	BackupCronExpression          string          `split_words:"true" default:"@daily"`
 	BackupRetentionDays           int32           `split_words:"true" default:"-1"`
+	BackupRetentionPeriod         time.Duration   `split_words:"true"`
 	BackupPruningLeeway           time.Duration   `split_words:"true" default:"1m"`
 	BackupPruningPrefix           string          `split_words:"true"`
 	BackupStopContainerLabel      string          `split_words:"true"`
--- a/cmd/backup/encrypt_archive.go
+++ b/cmd/backup/encrypt_archive.go
@@ -10,10 +10,8 @@ import (
 	"io"
 	"os"
 	"path"
-	"strings"

 	"filippo.io/age"
-	"filippo.io/age/agessh"
 	"github.com/ProtonMail/go-crypto/openpgp/armor"
 	openpgp "github.com/ProtonMail/go-crypto/openpgp/v2"
 	"github.com/offen/docker-volume-backup/internal/errwrap"
@@ -75,7 +73,7 @@ func (s *script) getConfiguredAgeRecipients() ([]age.Recipient, error) {
 	recipients := []age.Recipient{}
 	if len(s.c.AgePublicKeys) > 0 {
 		for _, pk := range s.c.AgePublicKeys {
-			pkr, err := parseAgeRecipient(pk)
+			pkr, err := age.ParseX25519Recipient(pk)
 			if err != nil {
 				return nil, errwrap.Wrap(err, "failed to parse age public key")
 			}
@@ -96,18 +94,6 @@ func (s *script) getConfiguredAgeRecipients() ([]age.Recipient, error) {
 	return recipients, nil
 }

-func parseAgeRecipient(arg string) (age.Recipient, error) {
-	// This logic is adapted from what the age CLI is doing
-	// stripping some special cases
-	switch {
-	case strings.HasPrefix(arg, "age1"):
-		return age.ParseX25519Recipient(arg)
-	case strings.HasPrefix(arg, "ssh-"):
-		return agessh.ParseRecipient(arg)
-	}
-	return nil, fmt.Errorf("unknown recipient type: %q", arg)
-}
-
 func (s *script) encryptWithAge(rec []age.Recipient) error {
 	return s.doEncrypt("age", func(ciphertextWriter io.Writer) (io.WriteCloser, error) {
 		return age.Encrypt(ciphertextWriter, rec...)
--- a/cmd/backup/prune_backups.go
+++ b/cmd/backup/prune_backups.go
@@ -17,11 +17,18 @@ import (
 // the given configuration. In case the given configuration would delete all
 // backups, it does nothing instead and logs a warning.
 func (s *script) pruneBackups() error {
-	if s.c.BackupRetentionDays < 0 {
+	if s.c.BackupRetentionDays < 0 && s.c.BackupRetentionPeriod == 0 {
 		return nil
 	}

-	deadline := time.Now().AddDate(0, 0, -int(s.c.BackupRetentionDays)).Add(s.c.BackupPruningLeeway)
+	var deadline time.Time
+	if s.c.BackupRetentionPeriod != 0 {
+		deadline = time.Now().Add(-s.c.BackupRetentionPeriod)
+	} else {
+		s.logger.Warn("Using BACKUP_RETENTION_DAYS has been deprecated and will be removed in the next major version. Please use BACKUP_RETENTION_PERIOD instead.")
+		deadline = time.Now().AddDate(0, 0, -int(s.c.BackupRetentionDays))
+	}
+	deadline = deadline.Add(s.c.BackupPruningLeeway)

 	eg := errgroup.Group{}
 	for _, backend := range s.storages {
--- a/cmd/backup/script.go
+++ b/cmd/backup/script.go
@@ -225,6 +225,10 @@ func (s *script) init() error {
 		s.storages = append(s.storages, dropboxBackend)
 	}

+	if s.c.BackupRetentionDays > -1 && s.c.BackupRetentionPeriod > 0 {
+		return errwrap.Wrap(nil, "both BACKUP_RETENTION_DAYS and BACKUP_RETENTION_PERIOD were configured, which are mutually exclusive")
+	}
+
 	if s.c.EmailNotificationRecipient != "" {
 		emailURL := fmt.Sprintf(
 			"smtp://%s:%s@%s:%d/?from=%s&to=%s",
--- a/docs/how-tos/automatically-prune-old-backups.md
+++ b/docs/how-tos/automatically-prune-old-backups.md
@@ -7,7 +7,8 @@ nav_order: 3

 # Automatically prune old backups

-When `BACKUP_RETENTION_DAYS` is configured, the command will check if there are any archives in the remote storage backend(s) or local archive that are older than the given retention value and rotate these backups away.
+When `BACKUP_RETENTION_PERIOD` is configured, the command will check if there are any archives in the remote storage backend(s) or local archive that are older than the given retention value and rotate these backups away.
+The value is a duration as per Go's [`time.ParseDuration`][duration].

 {: .note }
 Be aware that this mechanism looks at __all files in the target bucket or archive__, which means that other files that are older than the given deadline are deleted as well.
@@ -23,7 +24,7 @@ services:
    environment:
      BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
      BACKUP_PRUNING_PREFIX: backup-
-      BACKUP_RETENTION_DAYS: '7'
+      BACKUP_RETENTION_PERIOD: '168h'
    volumes:
      - ${HOME}/backups:/archive
      - data:/backup/my-app-backup:ro
@@ -32,3 +33,5 @@ services:
 volumes:
  data:
 ```
+
+[duration]: https://pkg.go.dev/time#ParseDuration
--- a/docs/how-tos/handle-file-uploads-using-third-party-tools.md
+++ b/docs/how-tos/handle-file-uploads-using-third-party-tools.md
@@ -33,7 +33,7 @@ services:
      - docker-volume-backup.copy-post=/bin/sh -c 'rsync $$COMMAND_RUNTIME_ARCHIVE_FILEPATH /destination'
    volumes:
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  # other services defined here ...
 volumes:
--- a/docs/recipes/index.md
+++ b/docs/recipes/index.md
@@ -280,7 +280,7 @@ services:
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
      BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
      BACKUP_PRUNING_PREFIX: backup-
-      BACKUP_RETENTION_DAYS: 7
+      BACKUP_RETENTION_PERIOD: 168h
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -358,7 +358,7 @@ services:
    volumes:
      - ./local:/archive
      - data:/backup/data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

 volumes:
  data:
--- a/docs/reference/index.md
+++ b/docs/reference/index.md
@@ -9,7 +9,7 @@ nav_order: 2
 Backup targets, schedule and retention are configured using environment variables.

 {: .note }
-As per established convention, you can use any environment variable key from below with a `_FILE` suffix in order to load the value from a file instead.
+You can use any environment variable from below also with a `_FILE` suffix to be able to load the value from a file.
 This is typically useful when using [Docker Secrets](https://docs.docker.com/engine/swarm/secrets/) or similar.
 Note that secrets will not be trimmed of leading or trailing whitespace.

@@ -17,14 +17,13 @@ Note that secrets will not be trimmed of leading or trailing whitespace.
 In case you encounter double quoted values in your runtime configuration you might still be using an [older version of `docker-compose`][compose-issue].
 You can work around this by either updating `docker-compose` or unquoting your configuration values.

-You can populate below template according to your requirements and use it as your `env_file`.
-The values for each key currently match its default.
+You can populate below template according to your requirements and use it as your `env_file`:

 {% raw %}
 ```
 ########### BACKUP SCHEDULE

-# Backups can be run on fixed scheduled that are defined as a cron expression.
+
 # A cron expression represents a set of times, using 5 or 6 space-separated fields.
 #
 # Field name   | Mandatory? | Allowed values  | Allowed special characters
@@ -38,14 +37,10 @@ The values for each key currently match its default.
 #
 # Month and Day-of-week field values are case insensitive.
 # "SUN", "Sun", and "sun" are equally accepted.
+# If no value is set, `@daily` will be used.
 # If you do not want the cron to ever run, use `0 0 5 31 2 ?`.
-# Refer to sites like <https://crontab.guru> for help.
-# If no value is set, `@daily` will be used, which runs every
-# day at midnight.

-# BACKUP_CRON_EXPRESSION="@daily"
-
-# ---
+# BACKUP_CRON_EXPRESSION="0 2 * * *"

 # The compression algorithm used in conjunction with tar.
 # Valid options are: "gz" (Gzip), "zst" (Zstd) or "none" (tar only).
@@ -53,19 +48,15 @@ The values for each key currently match its default.

 # BACKUP_COMPRESSION="gz"

-# ---
-
 # Parallelism level for "gz" (Gzip) compression.
 # Defines how many blocks of data are concurrently processed.
 # Higher values result in faster compression. No effect on decompression
 # Default = 1. Setting this to 0 will use all available threads.

-# GZIP_PARALLELISM="1"
+# GZIP_PARALLELISM=1

-# ---
-
-# The desired name of the backup file including the extension.
-# Format verbs will be replaced as in `strftime`. Omitting all verbs
+# The name of the backup file including the extension.
+# Format verbs will be replaced as in `strftime`. Omitting them
 # will result in the same filename for every backup run, which means previous
 # versions will be overwritten on subsequent runs.
 # Extension can be defined literally or via "{{ .Extension }}" template,
@@ -75,8 +66,6 @@ The values for each key currently match its default.

 # BACKUP_FILENAME="backup-%Y-%m-%dT%H-%M-%S.{{ .Extension }}"

-# ---
-
 # Setting BACKUP_FILENAME_EXPAND to true allows for environment variable
 # placeholders in BACKUP_FILENAME, BACKUP_LATEST_SYMLINK and in
 # BACKUP_PRUNING_PREFIX that will get expanded at runtime,
@@ -87,15 +76,10 @@ The values for each key currently match its default.

 # BACKUP_FILENAME_EXPAND="true"

-# ---
-
 # When storing local backups, a symlink to the latest backup can be created
 # in case a value is given for this key. This has no effect on remote backups.
-# Example: "backup.latest.tar.gz"

-# BACKUP_LATEST_SYMLINK=""
-
-# ---
+# BACKUP_LATEST_SYMLINK="backup.latest.tar.gz"

 # ************************************************************************
 # The BACKUP_FROM_SNAPSHOT option has been deprecated and will be removed
@@ -109,285 +93,203 @@ The values for each key currently match its default.

 # BACKUP_FROM_SNAPSHOT="false"

-# ---
+# By default, the `/backup` directory inside the container will be backed up.
+# In case you need to use a custom location, set `BACKUP_SOURCES`.

-# By default, the contents of the `/backup` directory inside the container
-# will be backed up. In case you need to use a custom location, set `BACKUP_SOURCES`.
-# Example: "/other/location"
+# BACKUP_SOURCES="/other/location"

-# BACKUP_SOURCES="/backup"
-
-# ---
-
-# When a value is given, all files in BACKUP_SOURCES whose full path matches the
+# When given, all files in BACKUP_SOURCES whose full path matches the given
 # regular expression will be excluded from the archive. Regular Expressions
 # can be used as from the Go standard library https://pkg.go.dev/regexp
-# Example: "\.log$"

-# BACKUP_EXCLUDE_REGEXP=""
-
-# ---
+# BACKUP_EXCLUDE_REGEXP="\.log$"

 # Exclude one or many storage backends from the pruning process.
-# Available backends are: S3, WebDAV, SSH, Local, Dropbox, Azure
 # E.g. with one backend excluded: BACKUP_SKIP_BACKENDS_FROM_PRUNE=s3
 # E.g. with multiple backends excluded: BACKUP_SKIP_BACKENDS_FROM_PRUNE=s3,webdav
-# Note: The names of the backends are case insensitive. 
+# Available backends are: S3, WebDAV, SSH, Local, Dropbox, Azure
+# Note: The name of the backends is case insensitive. 
 # Default: All backends get pruned.

-# BACKUP_SKIP_BACKENDS_FROM_PRUNE=""
+# BACKUP_SKIP_BACKENDS_FROM_PRUNE=

-########### S3 COMPATIBLE STORAGE
+########### BACKUP STORAGE

 # The name of the remote bucket that should be used for storing backups. If
 # this is not set, no remote backups will be stored.
-# Example: "backup-bucket"

-# AWS_S3_BUCKET_NAME=""
-
-# ---
+# AWS_S3_BUCKET_NAME="backup-bucket"

 # If you want to store the backup in a non-root location on your bucket
 # you can provide a path. The path must not contain a leading slash.
-# Example: "my/backup/location"

-# AWS_S3_PATH=""
-
-# ---
+# AWS_S3_PATH="my/backup/location"

 # Define credentials for authenticating against the backup storage and a bucket
 # name. Although all of these keys are `AWS`-prefixed, the setup can be used
 # with any S3 compatible storage.

-# AWS_ACCESS_KEY_ID=""
-# AWS_SECRET_ACCESS_KEY=""
-
-# ---
+# AWS_ACCESS_KEY_ID="<xxx>"
+# AWS_SECRET_ACCESS_KEY="<xxx>"

 # Instead of providing static credentials, you can also use IAM instance profiles
 # or similar to provide authentication. Some possible configuration options on AWS:
 # - EC2: http://169.254.169.254
 # - ECS: http://169.254.170.2

-# AWS_IAM_ROLE_ENDPOINT=""
-
-# ---
+# AWS_IAM_ROLE_ENDPOINT="http://169.254.169.254"

 # This is the FQDN of your storage server, e.g. `storage.example.com`.
-# If you need to set a specific (non-https) protocol, you will need to use the option below.
-# The default value points to the standard AWS S3 endpoint.
+# Do not set this when working against AWS S3 (the default value is
+# `s3.amazonaws.com`). If you need to set a specific (non-https) protocol, you
+# will need to use the option below.

-# AWS_ENDPOINT="s3.amazonaws.com"
+# AWS_ENDPOINT="storage.example.com"

-# ---
-
-# The protocol to be used when communicating with your S3 storage server.
+# The protocol to be used when communicating with your storage server.
 # Defaults to "https". You can set this to "http" when communicating with
-# a different Docker container in the same virtual network for example.
+# a different Docker container on the same host for example.

 # AWS_ENDPOINT_PROTO="https"

-# ---
-
 # Setting this variable to `true` will disable verification of
 # SSL certificates for AWS_ENDPOINT. You shouldn't use this unless you use
 # self-signed certificates for your remote storage backend. This can only be
 # used when AWS_ENDPOINT_PROTO is set to `https`.

-# AWS_ENDPOINT_INSECURE="false"
-
-# ---
+# AWS_ENDPOINT_INSECURE="true"

 # If you wish to use self signed certificates your S3 server, you can pass
 # the location of a PEM encoded CA certificate and it will be used for
-# validating your certificates. Alternatively, pass a PEM encoded string
-# containing the certificate.
-# Example: "/path/to/cert.pem"
+# validating your certificates.
+# Alternatively, pass a PEM encoded string containing the certificate.

-# AWS_ENDPOINT_CA_CERT=""
+# AWS_ENDPOINT_CA_CERT="/path/to/cert.pem"

-# ---
+# Setting this variable will change the S3 storage class header.
+# Defaults to "STANDARD", you can set this value according to your needs.

-# Setting a value for this key will change the S3 storage class header.
-# Default behavior is to use the standard class when no value is given.
-# Example: "GLACIER"
-
-# AWS_STORAGE_CLASS=""
-
-# ---
+# AWS_STORAGE_CLASS="GLACIER"

 # Setting this variable will change the S3 default part size for the copy step.
 # This value is useful when you want to upload large files.
-# NB: While using Scaleway as S3 provider, be aware that the parts counter is set to 1.000.
+# NB : While using Scaleway as S3 provider, be aware that the parts counter is set to 1.000.
 # While Minio uses a hard coded value to 10.000. As a workaround, try to set a higher value.
 # Defaults to "16" (MB) if unset (from minio), you can set this value according to your needs.
 # The unit is in MB and an integer.

-# AWS_PART_SIZE="16"
+# AWS_PART_SIZE=16

-########### WEBDAV STORAGE
+# You can also backup files to any WebDAV server:

 # The URL of the remote WebDAV server
-# Example: "https://webdav.example.com"

-# WEBDAV_URL=""
-
-# ---
+# WEBDAV_URL="https://webdav.example.com"

 # The Directory to place the backups to on the WebDAV server.
 # If the path is not present on the server it will be created.
-# Example: "/my/directory/"

-# WEBDAV_PATH=""
-
-# ---
+# WEBDAV_PATH="/my/directory/"

 # The username for the WebDAV server
-# Example: "user"

-# WEBDAV_USERNAME=""
-
-# ---
+# WEBDAV_USERNAME="user"

 # The password for the WebDAV server
-# Example: "password"

-# WEBDAV_PASSWORD=""
+# WEBDAV_PASSWORD="password"

-# ---
-
-# Setting this variable to "true" will disable verification of
+# Setting this variable to `true` will disable verification of
 # SSL certificates for WEBDAV_URL. You shouldn't use this unless you use
 # self-signed certificates for your remote storage backend.

-# WEBDAV_URL_INSECURE="false"
+# WEBDAV_URL_INSECURE="true"

-########### SSH/SFTP STORAGE
+# You can also backup files to any SSH server:

-# The FQDN of the remote SSH server
-# Example: "server.local"
+# The URL of the remote SSH server

-# SSH_HOST_NAME=""
-
-# ---
+# SSH_HOST_NAME="server.local"

 # The port of the remote SSH server
+# Optional variable default value is `22`

-# SSH_PORT="22"
-
-# ---
+# SSH_PORT=2222

 # The Directory to place the backups to on the SSH server.
-# Example: "/home/user/backups"

-# SSH_REMOTE_PATH=""
-
-# ---
+# SSH_REMOTE_PATH="/my/directory/"

 # The username for the SSH server
-# Example: "user"

-# SSH_USER=""
-
-# ---
+# SSH_USER="user"

 # The password for the SSH server
-# Example: "password"

-# SSH_PASSWORD=""
+# SSH_PASSWORD="password"

-# ---
-
-# The private key path in container for SSH server.
-# Consumers can mount a file into /root/.ssh/id_rsa (or the respective value)
-# in order to have it being used. Non-RSA keys (e.g. ed25519) will also work.
+# The private key path in container for SSH server
+# Default value: /root/.ssh/id_rsa
+# If file is mounted to /root/.ssh/id_rsa path it will be used. Non-RSA keys will
+# also work.

 # SSH_IDENTITY_FILE="/root/.ssh/id_rsa"

-# ---
+# The passphrase for the identity file

-# The passphrase for the identity file if applicable
-# Example: "pass"
-
-# SSH_IDENTITY_PASSPHRASE=""
-
-########### AZURE BLOB STORAGE
+# SSH_IDENTITY_PASSPHRASE="pass"

 # The credential's account name when using Azure Blob Storage. This has to be
 # set when using Azure Blob Storage.
-# Example: "account-name"

-# AZURE_STORAGE_ACCOUNT_NAME=""
-
-# ---
+# AZURE_STORAGE_ACCOUNT_NAME="account-name"

 # The credential's primary account key when using Azure Blob Storage. If this
 # is not given, the command tries to fall back to using a connection string
-# (if given) or a managed identity (if neither is set).
+# (if given) or a managed identity (if nothing is given).

-# AZURE_STORAGE_PRIMARY_ACCOUNT_KEY=""
-
-# ---
+# AZURE_STORAGE_PRIMARY_ACCOUNT_KEY="<xxx>"

 # A connection string for accessing Azure Blob Storage. If this
 # is not given, the command tries to fall back to using a primary account key
-# (if given) or a managed identity (if neither is set).
+# (if given) or a managed identity (if nothing is given).

-# AZURE_STORAGE_CONNECTION_STRING=""
-
-# ---
+# AZURE_STORAGE_CONNECTION_STRING="<xxx>"

 # The container name when using Azure Blob Storage.
-# Example: "container-name"

-# AZURE_STORAGE_CONTAINER_NAME=""
-
-# ---
+# AZURE_STORAGE_CONTAINER_NAME="container-name"

 # The service endpoint when using Azure Blob Storage. This is a template that
 # can be passed the account name as shown in the default value below.

 # AZURE_STORAGE_ENDPOINT="https://{{ .AccountName }}.blob.core.windows.net/"

-# ---
+# Absolute remote path in your Dropbox where the backups shall be stored.
+# Note: Use your app's subpath in Dropbox, if it doesn't have global access.
+# Consulte the README for further information.

 # The access tier when using Azure Blob Storage. Possible values are
 # https://github.com/Azure/azure-sdk-for-go/blob/sdk/storage/azblob/v1.3.2/sdk/storage/azblob/internal/generated/zz_constants.go#L14-L30
-# Example: "Cold"

-# AZURE_STORAGE_ACCESS_TIER=""
+# AZURE_STORAGE_ACCESS_TIER="Cold"

-########### DROPBOX STORAGE
-
-# Absolute remote path in your Dropbox where the backups shall be stored.
-# Note: Use your app's subpath in Dropbox, if it doesn't have global access.
-# Consult the README for further information.
-# Example: "/my/directory"
-
-# DROPBOX_REMOTE_PATH=""
-
-# ---
-
-# App key and app secret from your app created at https://www.dropbox.com/developers/apps/info
-
-# DROPBOX_APP_KEY=""
-# DROPBOX_APP_SECRET=""
-
-# ---
+# DROPBOX_REMOTE_PATH="/my/directory"

 # Number of concurrent chunked uploads for Dropbox.
 # Values above 6 usually result in no enhancements.

 # DROPBOX_CONCURRENCY_LEVEL="6"

-# ---
+# App key and app secret from your app created at https://www.dropbox.com/developers/apps/info
+
+# DROPBOX_APP_KEY=""
+# DROPBOX_APP_SECRET=""

 # Refresh token to request new short-lived tokens (OAuth2). Consult README to see how to get one.

 # DROPBOX_REFRESH_TOKEN=""

-########### LOCAL FILE STORAGE
-
 # In addition to storing backups remotely, you can also keep local copies.
 # Pass a container-local path to store your backups if needed. You also need to
 # mount a local folder or Docker volume into that location (`/archive`
@@ -409,12 +311,11 @@ The values for each key currently match its default.
 # for such files, or to configure BACKUP_PRUNING_PREFIX to limit
 # removal to certain files.

-# Pass zero or a positive integer value to enable automatic rotation of
-# old backups. The value declares the number of days for which a backup is kept.
+# Define this value to enable automatic rotation of old backups. The value
+# declares the duration for which a backup is kept. It is formatted as per
+# https://pkg.go.dev/time#ParseDuration, e.g. 1 day turns into `24h`

-# BACKUP_RETENTION_DAYS="-1"
-
-# ---
+# BACKUP_RETENTION_PERIOD="168h"

 # In case the duration a backup takes fluctuates noticeably in your setup
 # you can adjust this setting to make sure there are no race conditions
@@ -426,8 +327,6 @@ The values for each key currently match its default.

 # BACKUP_PRUNING_LEEWAY="1m"

-# ---
-
 # In case your target bucket or directory contains other files than the ones
 # managed by this container, you can limit the scope of rotation by setting
 # a prefix value. This would usually be the non-parametrized part of your
@@ -435,7 +334,7 @@ The values for each key currently match its default.
 # you can set BACKUP_PRUNING_PREFIX to `db-backup-` and make sure
 # unrelated files are not affected by the rotation mechanism.

-# BACKUP_PRUNING_PREFIX=""
+# BACKUP_PRUNING_PREFIX="backup-"

 ########### BACKUP ENCRYPTION

@@ -444,28 +343,26 @@ The values for each key currently match its default.

 # Backups can be encrypted symmetrically using gpg in case a passphrase is given.

-# GPG_PASSPHRASE=""
-
-# ---
+# GPG_PASSPHRASE="<xxx>"

 # Backups can be encrypted asymmetrically using gpg in case publickeys are given.
-# You can use pipe syntax to pass a multiline value.

-# GPG_PUBLIC_KEY_RING=""
-
-# ---
+# GPG_PUBLIC_KEY_RING= | 
+#-----BEGIN PGP PUBLIC KEY BLOCK-----
+#
+#D/cIHu6GH/0ghlcUVSbgMg5RRI5QKNNKh04uLAPxr75mKwUg0xPUaWgyyrAChVBi
+#...
+#-----END PGP PUBLIC KEY BLOCK-----

 # Backups can be encrypted symmetrically using age in case a passphrase is given.

-# AGE_PASSPHRASE=""
-
-# ---
+# AGE_PASSPHRASE="<xxx>"

 # Backups can be encrypted asymmetrically using age in case publickeys are given.
-# Multiple keys need to be provided as a comma separated list. Right now, this
-# supports `age` and `ssh` keys
+# Multiple keys need to be provided as a comma separated list. Right now, this only
+# support passing age keys, with no support for ssh keys.

-# AGE_PUBLIC_KEYS=""
+# AGE_PUBLIC_KEYS="<xxx>"

 ########### STOPPING CONTAINERS AND SERVICES DURING BACKUP

@@ -473,17 +370,18 @@ The values for each key currently match its default.
 # `docker-volume-backup.stop-during-backup` label. By default, all containers and
 # services that are labeled with `true` will be stopped. If you need more fine
 # grained control (e.g. when running multiple containers based on this image),
-# you can override this default by specifying a different string value here.
-# BACKUP_STOP_DURING_BACKUP_LABEL="true"
+# you can override this default by specifying a different value here.
+# BACKUP_STOP_DURING_BACKUP_LABEL="service1"

 # When trying to scale down Docker Swarm services, give up after
 # the specified amount of time in case the service has not converged yet.
 # In case you need to adjust this timeout, supply a duration
 # value as per https://pkg.go.dev/time#ParseDuration to `BACKUP_STOP_SERVICE_TIMEOUT`.
+# Defaults to 5 minutes.

 # BACKUP_STOP_SERVICE_TIMEOUT="5m"

-########### EXECUTING COMMANDS IN CONTAINERS DURING THE BACKUP LIFECYCLE
+########### EXECUTING COMMANDS IN CONTAINERS PRE/POST BACKUP

 # It is possible to define commands to be run in any container before and after
 # a backup is conducted. The commands themselves are defined in labels like
@@ -494,17 +392,15 @@ The values for each key currently match its default.
 # is configured to be "true", command execution output will be forwarded to
 # the backup container's stdout and stderr.

-# EXEC_FORWARD_OUTPUT="false"
-
-# ---
+# EXEC_FORWARD_OUTPUT="true"

 # Without any further configuration, all commands defined in labels will be
 # run before and after a backup. If you need more fine grained control, you
 # can use this option to set a label that will be used for narrowing down
-# the set of eligible containers. E.g. when setting this to `database`,
-# an eligible container will also need to be labeled as `docker-volume-backup.exec-label=database`.
+# the set of eligible containers. When set, an eligible container will also need
+# to be labeled as `docker-volume-backup.exec-label=database`.

-# EXEC_LABEL=""
+# EXEC_LABEL="database"

 ########### NOTIFICATIONS

@@ -515,13 +411,10 @@ The values for each key currently match its default.
 # on how to do this can be found in the README. When providing multiple URLs or
 # an URL that contains a comma, the values can be URL encoded to avoid ambiguities.

-# The following example URL demonstrates how to send an email using the provided SMTP
+# The below URL demonstrates how to send an email using the provided SMTP
 # configuration and credentials.
-# Example: "smtp://username:password@host:587/?fromAddress=sender@example.com&toAddresses=recipient@example.com"

-# NOTIFICATION_URLS=""
-
-# ---
+# NOTIFICATION_URLS=smtp://username:password@host:587/?fromAddress=sender@example.com&toAddresses=recipient@example.com

 # By default, notifications would only be sent out when a backup run fails
 # To receive notifications for every run, set `NOTIFICATION_LEVEL` to `info`
@@ -533,9 +426,8 @@ The values for each key currently match its default.

 # If you are interfacing with Docker via TCP you can set the Docker host here
 # instead of mounting the Docker socket as a volume. This is unset by default.
-# Example: "tcp://docker_socket_proxy:2375"

-# DOCKER_HOST=""
+# DOCKER_HOST="tcp://docker_socket_proxy:2375"

 ########### LOCK_TIMEOUT

@@ -562,25 +454,20 @@ The values for each key currently match its default.
 # The recipient(s) of the notification. Supply a comma separated list
 # of addresses if you want to notify multiple recipients. If this is
 # not set, no emails will be sent.
-# Example: "you@example.com"

-# EMAIL_NOTIFICATION_RECIPIENT=""
+# EMAIL_NOTIFICATION_RECIPIENT="you@example.com"

-# ---
+# The "From" header of the sent email. Defaults to `noreply@nohost`.

-# The "From" header of the sent email.
-# Example: "no-reply@example.com"
-
-# EMAIL_NOTIFICATION_SENDER="noreply@nohost"
-
-# ---
+# EMAIL_NOTIFICATION_SENDER="no-reply@example.com"

 # Configuration and credentials for the SMTP server to be used.
+# EMAIL_SMTP_PORT defaults to 587.

-# EMAIL_SMTP_HOST=""
-# EMAIL_SMTP_PASSWORD=""
-# EMAIL_SMTP_USERNAME=""
-# EMAIL_SMTP_PORT="587"
+# EMAIL_SMTP_HOST="posteo.de"
+# EMAIL_SMTP_PASSWORD="<xxx>"
+# EMAIL_SMTP_USERNAME="no-reply@example.com"
+# EMAIL_SMTP_PORT="<port>"
 ```
 {% endraw %}

--- a/go.mod
+++ b/go.mod
@@ -1,33 +1,32 @@
 module github.com/offen/docker-volume-backup

-go 1.24
+go 1.23

 require (
 	filippo.io/age v1.2.1
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.0
 	github.com/containrrr/shoutrrr v0.8.0
 	github.com/cosiner/argv v0.1.0
-	github.com/docker/cli v28.0.0+incompatible
+	github.com/docker/cli v27.5.1+incompatible
 	github.com/docker/docker v27.1.1+incompatible
 	github.com/gofrs/flock v0.12.1
 	github.com/joho/godotenv v1.5.1
-	github.com/klauspost/compress v1.18.0
+	github.com/klauspost/compress v1.17.11
 	github.com/leekchan/timeutil v0.0.0-20150802142658-28917288c48d
-	github.com/minio/minio-go/v7 v7.0.87
+	github.com/minio/minio-go/v7 v7.0.84
 	github.com/offen/envconfig v1.5.0
 	github.com/otiai10/copy v1.14.1
 	github.com/pkg/sftp v1.13.7
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/studio-b12/gowebdav v0.10.0
-	golang.org/x/crypto v0.33.0
-	golang.org/x/oauth2 v0.27.0
-	golang.org/x/sync v0.11.0
+	golang.org/x/crypto v0.32.0
+	golang.org/x/oauth2 v0.25.0
+	golang.org/x/sync v0.10.0
 	mvdan.cc/sh/v3 v3.10.0
 )

 require (
-	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/containerd/log v0.1.0 // indirect
@@ -36,10 +35,9 @@ require (
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/goccy/go-json v0.10.4 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/minio/crc64nvme v1.0.1 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/otiai10/mint v1.6.3 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 // indirect
@@ -56,7 +54,7 @@ require (
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/ProtonMail/go-crypto v1.1.0-alpha.1
 	github.com/docker/go-connections v0.4.0 // indirect
@@ -81,8 +79,8 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/rs/xid v1.6.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	golang.org/x/net v0.35.0 // indirect
-	golang.org/x/sys v0.30.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	gotest.tools/v3 v3.0.3 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -35,14 +35,12 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
 filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
-filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
-filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 h1:g0EZJwz7xkXQiZAI5xi9f3WWFYBlX1CPTrR+NDToRkQ=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0/go.mod h1:XCW7KnZet0Opnr7HccfUw1PLc4CjHqpcaxW8DHklNkQ=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 h1:F0gBpfdPLGsw+nsgk6aqqkZS1jiixa5WwFe3fk/T3Ys=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2/go.mod h1:SqINnQ9lVVdRlyC8cd1lCI0SdX4n2paeABd2K8ggfnE=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1 h1:1mvYtZfWQAnwNah/C+Z+Jb9rQH95LPE2vlmMuWAHJk8=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1/go.mod h1:75I/mXtme1JyWFtz8GocPHVFyH421IBoZErnO16dd0k=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.1 h1:Bk5uOhSAenHyR5P61D/NzeQCv+4fEVV8mOkJ82NqpWw=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.1/go.mod h1:QZ4pw3or1WPmRBxf0cHd1tknzrT54WPBOQoGutCPvSU=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.6.0 h1:PiSrjRPpkQNjrM8H0WwKMnZUdu1RGMtd/LdGKUrOo+c=
@@ -53,8 +51,8 @@ github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7O
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 h1:H5xDQaE3XowWfhZRUpnfC+rGZMEVoSiji+b+/HFAPU4=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 h1:kYRSnvJju5gYVyhkij+RTJ/VR6QIUaCfWeaFm2ycsjQ=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
@@ -86,8 +84,8 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v28.0.0+incompatible h1:ido37VmLUqEp+5NFb9icd6BuBB+SNDgCn+5kPCr2buA=
-github.com/docker/cli v28.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v27.5.1+incompatible h1:JB9cieUT9YNiMITtIsguaN55PLOHhBSz3LKVc6cqWaY=
+github.com/docker/cli v27.5.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/docker v27.1.1+incompatible h1:hO/M4MtV36kzKldqnA37IWhebRA+LnqqcqDja6kVaKY=
 github.com/docker/docker v27.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
@@ -120,8 +118,8 @@ github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7
 github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
-github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
-github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
+github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
 github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
@@ -196,8 +194,8 @@ github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKu
 github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6/go.mod h1:3VeWNIJaW+O5xpRQbPp0Ybqu1vJd/pm7s2F473HRrkw=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
 github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
 github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
@@ -222,12 +220,10 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/minio/crc64nvme v1.0.1 h1:DHQPrYPdqK7jQG/Ls5CTBZWeex/2FMS3G5XGkycuFrY=
-github.com/minio/crc64nvme v1.0.1/go.mod h1:eVfm2fAzLlxMdUGc0EEBGSMmPwmXD5XiNRpnu9J3bvg=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
-github.com/minio/minio-go/v7 v7.0.87 h1:nkr9x0u53PespfxfUqxP3UYWiE2a41gaofgNnC4Y8WQ=
-github.com/minio/minio-go/v7 v7.0.87/go.mod h1:33+O8h0tO7pCeCWwBVa07RhVVfB/3vS4kEX7rwYKmIg=
+github.com/minio/minio-go/v7 v7.0.84 h1:D1HVmAF8JF8Bpi6IU4V9vIEj+8pc+xU88EWMs2yed0E=
+github.com/minio/minio-go/v7 v7.0.84/go.mod h1:57YXpvc5l3rjPdhqNrDsvVlY0qPI6UTk1bflAe+9doY=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/term v0.0.0-20200312100748-672ec06f55cd h1:aY7OQNf2XqY/JQ6qREWamhI/81os/agb2BAGpcx5yWI=
@@ -317,8 +313,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -382,16 +378,16 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
-golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
+golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -403,8 +399,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
-golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -445,15 +441,15 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
-golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
-golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
+golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -463,8 +459,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
--- a/internal/storage/azure/azure.go
+++ b/internal/storage/azure/azure.go
@@ -9,7 +9,6 @@ import (
 	"errors"
 	"fmt"
 	"os"
-	"path"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -129,7 +128,7 @@ func (b *azureBlobStorage) Copy(file string) error {
 	_, err = b.client.UploadStream(
 		context.Background(),
 		b.containerName,
-		path.Join(b.DestinationPath, filepath.Base(file)),
+		filepath.Join(b.DestinationPath, filepath.Base(file)),
 		fileReader,
 		b.uploadStreamOptions,
 	)
@@ -142,7 +141,7 @@ func (b *azureBlobStorage) Copy(file string) error {
 // Prune rotates away backups according to the configuration and provided
 // deadline for the Azure Blob storage backend.
 func (b *azureBlobStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
-	lookupPrefix := path.Join(b.DestinationPath, pruningPrefix)
+	lookupPrefix := filepath.Join(b.DestinationPath, pruningPrefix)
 	pager := b.client.NewListBlobsFlatPager(b.containerName, &container.ListBlobsFlatOptions{
 		Prefix: &lookupPrefix,
 	})
--- a/internal/storage/dropbox/dropbox.go
+++ b/internal/storage/dropbox/dropbox.go
@@ -7,6 +7,7 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"path/filepath"
 	"strings"
 	"sync"
 	"time"
@@ -194,7 +195,7 @@ loop:
 	_, err = b.client.UploadSessionFinish(
 		files.NewUploadSessionFinishArg(
 			files.NewUploadSessionCursor(sessionId, 0),
-			files.NewCommitInfo(path.Join(b.DestinationPath, name)),
+			files.NewCommitInfo(filepath.Join(b.DestinationPath, name)),
 		), nil)
 	if err != nil {
 		return errwrap.Wrap(err, "error finishing the upload session")
@@ -246,7 +247,7 @@ func (b *dropboxStorage) Prune(deadline time.Time, pruningPrefix string) (*stora

 	pruneErr := b.DoPrune(b.Name(), len(matches), lenCandidates, deadline, func() error {
 		for _, match := range matches {
-			if _, err := b.client.DeleteV2(files.NewDeleteArg(path.Join(b.DestinationPath, match.Name))); err != nil {
+			if _, err := b.client.DeleteV2(files.NewDeleteArg(filepath.Join(b.DestinationPath, match.Name))); err != nil {
 				return errwrap.Wrap(err, "error removing file from Dropbox storage")
 			}
 		}
--- a/internal/storage/local/local.go
+++ b/internal/storage/local/local.go
@@ -96,7 +96,7 @@ func (b *localStorage) Prune(deadline time.Time, pruningPrefix string) (*storage
 			)
 		}

-		if !fi.IsDir() && fi.Mode()&os.ModeSymlink != os.ModeSymlink {
+		if fi.Mode()&os.ModeSymlink != os.ModeSymlink {
 			candidates = append(candidates, candidate)
 		}
 	}
--- a/internal/storage/s3/s3.go
+++ b/internal/storage/s3/s3.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"os"
 	"path"
+	"path/filepath"
 	"time"

 	"github.com/minio/minio-go/v7"
@@ -123,7 +124,7 @@ func (b *s3Storage) Copy(file string) error {
 		putObjectOptions.PartSize = uint64(partSize)
 	}

-	if _, err := b.client.FPutObject(context.Background(), b.bucket, path.Join(b.DestinationPath, name), file, putObjectOptions); err != nil {
+	if _, err := b.client.FPutObject(context.Background(), b.bucket, filepath.Join(b.DestinationPath, name), file, putObjectOptions); err != nil {
 		if errResp := minio.ToErrorResponse(err); errResp.Message != "" {
 			return errwrap.Wrap(
 				nil,
@@ -146,7 +147,7 @@ func (b *s3Storage) Copy(file string) error {
 // Prune rotates away backups according to the configuration and provided deadline for the S3/Minio storage backend.
 func (b *s3Storage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	candidates := b.client.ListObjects(context.Background(), b.bucket, minio.ListObjectsOptions{
-		Prefix:    path.Join(b.DestinationPath, pruningPrefix),
+		Prefix:    filepath.Join(b.DestinationPath, pruningPrefix),
 		Recursive: true,
 	})

--- a/internal/storage/ssh/ssh.go
+++ b/internal/storage/ssh/ssh.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"os"
 	"path"
+	"path/filepath"
 	"strings"
 	"time"

@@ -114,7 +115,7 @@ func (b *sshStorage) Copy(file string) error {
 	}
 	defer source.Close()

-	destination, err := b.sftpClient.Create(path.Join(b.DestinationPath, name))
+	destination, err := b.sftpClient.Create(filepath.Join(b.DestinationPath, name))
 	if err != nil {
 		return errwrap.Wrap(err, "error creating file")
 	}
@@ -163,28 +164,24 @@ func (b *sshStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.P
 	}

 	var matches []string
-	var numCandidates int
 	for _, candidate := range candidates {
-		if candidate.IsDir() || !strings.HasPrefix(candidate.Name(), pruningPrefix) {
+		if !strings.HasPrefix(candidate.Name(), pruningPrefix) {
 			continue
 		}
-
-		numCandidates++
 		if candidate.ModTime().Before(deadline) {
 			matches = append(matches, candidate.Name())
 		}
 	}

 	stats := &storage.PruneStats{
-		Total:  uint(numCandidates),
+		Total:  uint(len(candidates)),
 		Pruned: uint(len(matches)),
 	}

-	pruneErr := b.DoPrune(b.Name(), len(matches), numCandidates, deadline, func() error {
+	pruneErr := b.DoPrune(b.Name(), len(matches), len(candidates), deadline, func() error {
 		for _, match := range matches {
-			p := path.Join(b.DestinationPath, match)
-			if err := b.sftpClient.Remove(p); err != nil {
-				return errwrap.Wrap(err, fmt.Sprintf("error removing file %s", p))
+			if err := b.sftpClient.Remove(filepath.Join(b.DestinationPath, match)); err != nil {
+				return errwrap.Wrap(err, "error removing file")
 			}
 		}
 		return nil
--- a/internal/storage/webdav/webdav.go
+++ b/internal/storage/webdav/webdav.go
@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"os"
 	"path"
+	"path/filepath"
 	"strings"
 	"time"

@@ -76,7 +77,7 @@ func (b *webDavStorage) Copy(file string) error {
 		return errwrap.Wrap(err, "error opening the file to be uploaded")
 	}

-	if err := b.client.WriteStream(path.Join(b.DestinationPath, name), r, 0644); err != nil {
+	if err := b.client.WriteStream(filepath.Join(b.DestinationPath, name), r, 0644); err != nil {
 		return errwrap.Wrap(err, "error uploading the file")
 	}
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup '%s' to '%s' at path '%s'.", file, b.url, b.DestinationPath)
@@ -90,27 +91,26 @@ func (b *webDavStorage) Prune(deadline time.Time, pruningPrefix string) (*storag
 	if err != nil {
 		return nil, errwrap.Wrap(err, "error looking up candidates from remote storage")
 	}
-
 	var matches []fs.FileInfo
-	var numCandidates int
+	var lenCandidates int
 	for _, candidate := range candidates {
-		if candidate.IsDir() || !strings.HasPrefix(candidate.Name(), pruningPrefix) {
+		if !strings.HasPrefix(candidate.Name(), pruningPrefix) {
 			continue
 		}
-		numCandidates++
+		lenCandidates++
 		if candidate.ModTime().Before(deadline) {
 			matches = append(matches, candidate)
 		}
 	}

 	stats := &storage.PruneStats{
-		Total:  uint(numCandidates),
+		Total:  uint(lenCandidates),
 		Pruned: uint(len(matches)),
 	}

-	pruneErr := b.DoPrune(b.Name(), len(matches), numCandidates, deadline, func() error {
+	pruneErr := b.DoPrune(b.Name(), len(matches), lenCandidates, deadline, func() error {
 		for _, match := range matches {
-			if err := b.client.Remove(path.Join(b.DestinationPath, match.Name())); err != nil {
+			if err := b.client.Remove(filepath.Join(b.DestinationPath, match.Name())); err != nil {
 				return errwrap.Wrap(err, "error removing file")
 			}
 		}
--- a/test/age-passphrase/docker-compose.yml
+++ b/test/age-passphrase/docker-compose.yml
@@ -6,12 +6,12 @@ services:
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      BACKUP_FILENAME: test.tar.gz
      BACKUP_LATEST_SYMLINK: test-latest.tar.gz.age
-      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_RETENTION_PERIOD: ${BACKUP_RETENTION_PERIOD:-168h}
      AGE_PASSPHRASE: "Dance.0Tonight.Go.Typical"
    volumes:
      - ${LOCAL_DIR:-./local}:/archive
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  offen:
    image: offen/offen:latest
--- a/test/age-publickey/docker-compose.yml
+++ b/test/age-publickey/docker-compose.yml
@@ -6,12 +6,12 @@ services:
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      BACKUP_FILENAME: test.tar.gz
      BACKUP_LATEST_SYMLINK: test-latest.tar.gz.age
-      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_RETENTION_PERIOD: ${BACKUP_RETENTION_PERIOD:-168h}
      AGE_PUBLIC_KEYS: "${BACKUP_AGE_PUBLIC_KEYS}"
    volumes:
      - ${LOCAL_DIR:-./local}:/archive
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  offen:
    image: offen/offen:latest
--- a/test/age-publickey/run.sh
+++ b/test/age-publickey/run.sh
@@ -13,10 +13,7 @@ PK_A="$(grep -E 'public key' <"$LOCAL_DIR/pk-a.txt" | cut -d: -f2 | xargs)"
 age-keygen >"$LOCAL_DIR/pk-b.txt"
 PK_B="$(grep -E 'public key' <"$LOCAL_DIR/pk-b.txt" | cut -d: -f2 | xargs)"

-ssh-keygen -t ed25519 -m pem -f "$LOCAL_DIR/id_ed25519" -C "docker-volume-backup@local"
-PK_C="$(cat $LOCAL_DIR/id_ed25519.pub)"
-
-export BACKUP_AGE_PUBLIC_KEYS="$PK_A,$PK_B,$PK_C"
+export BACKUP_AGE_PUBLIC_KEYS="$PK_A,$PK_B"

 docker compose up -d --quiet-pull
 sleep 5
@@ -44,4 +41,3 @@ do_decrypt() {

 do_decrypt "$LOCAL_DIR/pk-a.txt"
 do_decrypt "$LOCAL_DIR/pk-b.txt"
-do_decrypt "$LOCAL_DIR/id_ed25519"
--- a/test/azure/docker-compose.yml
+++ b/test/azure/docker-compose.yml
@@ -37,12 +37,12 @@ services:
      AZURE_STORAGE_ACCESS_TIER: Hot
      BACKUP_FILENAME: test.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
-      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_RETENTION_PERIOD: ${BACKUP_RETENTION_PERIOD:-168h}
      BACKUP_PRUNING_LEEWAY: 5s
      BACKUP_PRUNING_PREFIX: test
    volumes:
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  offen:
    image: offen/offen:latest
--- a/test/azure/run.sh
+++ b/test/azure/run.sh
@@ -38,7 +38,7 @@ rm "$LOCAL_DIR/test.tar.gz"

 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
-BACKUP_RETENTION_DAYS="0" docker compose up -d
+BACKUP_RETENTION_PERIOD="1s" docker compose up -d
 sleep 5

 docker compose exec backup backup
@@ -52,7 +52,7 @@ pass "Remote backups have not been deleted."
 # The third part of this test checks if old backups get deleted when the retention
 # is set to 7 days (which it should)

-BACKUP_RETENTION_DAYS="7" docker compose up -d
+BACKUP_RETENTION_PERIOD="168h" docker compose up -d
 sleep 5

 info "Create first backup with no prune"
--- a/test/certs/docker-compose.yml
+++ b/test/certs/docker-compose.yml
@@ -26,11 +26,11 @@ services:
      AWS_ENDPOINT_CA_CERT: /root/minio-rootCA.crt
      AWS_S3_BUCKET_NAME: backup
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
-      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_RETENTION_PERIOD: ${BACKUP_RETENTION_PERIOD:-168h}
      BACKUP_PRUNING_LEEWAY: 5s
    volumes:
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock
      - ${CERT_DIR:-.}/rootCA.crt:/root/minio-rootCA.crt

  offen:
--- a/test/cli/run.sh
+++ b/test/cli/run.sh
@@ -37,7 +37,7 @@ docker run --rm -q \
  --network test_network \
  -v app_data:/backup/app_data \
  -v empty_data:/backup/empty_data \
-  -v /var/run/docker.sock:/var/run/docker.sock:ro \
+  -v /var/run/docker.sock:/var/run/docker.sock \
  --env AWS_ACCESS_KEY_ID=test \
  --env AWS_SECRET_ACCESS_KEY=GMusLtUmILge2by+z890kQ \
  --env AWS_ENDPOINT=minio:9000 \
--- a/test/collision/docker-compose.yml
+++ b/test/collision/docker-compose.yml
@@ -9,7 +9,7 @@ services:
    volumes:
      - offen_data:/backup/offen_data:ro
      - ${LOCAL_DIR:-./local}:/archive
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  offen:
    image: offen/offen:latest
--- a/test/commands/docker-compose.yml
+++ b/test/commands/docker-compose.yml
@@ -42,7 +42,7 @@ services:
    volumes:
      - ${LOCAL_DIR:-./local}:/archive
      - app_data:/backup/data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

 volumes:
  app_data:
--- a/test/confd/docker-compose.yml
+++ b/test/confd/docker-compose.yml
@@ -12,7 +12,7 @@ services:
      - ./01backup.env:/etc/dockervolumebackup/conf.d/01backup.env
      - ./02backup.env:/etc/dockervolumebackup/conf.d/02backup.env
      - ./03never.env:/etc/dockervolumebackup/conf.d/03never.env
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  offen:
    image: offen/offen:latest
--- a/test/dropbox/docker-compose.yml
+++ b/test/dropbox/docker-compose.yml
@@ -30,7 +30,7 @@ services:
      BACKUP_FILENAME_EXPAND: 'true'
      BACKUP_FILENAME: test-$$HOSTNAME.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
-      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_RETENTION_PERIOD: ${BACKUP_RETENTION_PERIOD:-168h}
      BACKUP_PRUNING_LEEWAY: 5s
      BACKUP_PRUNING_PREFIX: test
      DROPBOX_ENDPOINT: http://openapi_mock:8080
@@ -42,7 +42,7 @@ services:
      DROPBOX_CONCURRENCY_LEVEL: 6
    volumes:
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  offen:
    image: offen/offen:latest
--- a/test/dropbox/run.sh
+++ b/test/dropbox/run.sh
@@ -29,7 +29,7 @@ fi

 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
-BACKUP_RETENTION_DAYS="0" docker compose up -d
+BACKUP_RETENTION_PERIOD="1s" docker compose up -d
 sleep 5

 logs=$(docker compose exec -T backup backup)
@@ -43,7 +43,7 @@ fi

 # The third part of this test checks if old backups get deleted when the retention
 # is set to 7 days (which it should)
-BACKUP_RETENTION_DAYS="7" docker compose up -d
+BACKUP_RETENTION_PERIOD="168h" docker compose up -d
 sleep 5

 info "Create second backup and prune"
--- a/test/extend/docker-compose.yml
+++ b/test/extend/docker-compose.yml
@@ -11,7 +11,7 @@ services:
    volumes:
      - ${LOCAL_DIR:-local}:/local
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  offen:
    image: offen/offen:latest
--- a/test/gpg-asym/docker-compose.yml
+++ b/test/gpg-asym/docker-compose.yml
@@ -6,13 +6,13 @@ services:
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      BACKUP_FILENAME: test.tar.gz
      BACKUP_LATEST_SYMLINK: test-latest.tar.gz.gpg
-      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_RETENTION_PERIOD: ${BACKUP_RETENTION_PERIOD:-168h}
      GPG_PUBLIC_KEY_RING_FILE: /keys/public_key.asc
    volumes:
      - ${KEY_DIR:-.}/public_key.asc:/keys/public_key.asc
      - ${LOCAL_DIR:-./local}:/archive
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  offen:
    image: offen/offen:latest
--- a/test/gpg/docker-compose.yml
+++ b/test/gpg/docker-compose.yml
@@ -6,12 +6,12 @@ services:
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      BACKUP_FILENAME: test.tar.gz
      BACKUP_LATEST_SYMLINK: test-latest.tar.gz.gpg
-      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_RETENTION_PERIOD: ${BACKUP_RETENTION_PERIOD:-168h}
      GPG_PASSPHRASE: 1234#$$ecret
    volumes:
      - ${LOCAL_DIR:-./local}:/archive
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  offen:
    image: offen/offen:latest
--- a/test/local/docker-compose.yml
+++ b/test/local/docker-compose.yml
@@ -8,12 +8,12 @@ services:
      BACKUP_FILENAME: test-$$HOSTNAME.tar.gz
      BACKUP_LATEST_SYMLINK: test-$$HOSTNAME.latest.tar.gz.gpg
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
-      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_RETENTION_PERIOD: ${BACKUP_RETENTION_PERIOD:-168h}
      BACKUP_PRUNING_LEEWAY: 5s
      BACKUP_PRUNING_PREFIX: test
    volumes:
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock
      - ${LOCAL_DIR:-./local}:/archive

  offen:
--- a/test/local/run.sh
+++ b/test/local/run.sh
@@ -41,7 +41,7 @@ pass "Found symlink to latest version in local backup."

 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
-BACKUP_RETENTION_DAYS="0" docker compose up -d
+BACKUP_RETENTION_PERIOD="1s" docker compose up -d
 sleep 5

 docker compose exec backup backup
@@ -54,7 +54,7 @@ pass "Local backups have not been deleted."
 # The third part of this test checks if old backups get deleted when the retention
 # is set to 7 days (which it should)

-BACKUP_RETENTION_DAYS="7" docker compose up -d
+BACKUP_RETENTION_PERIOD="168h" docker compose up -d
 sleep 5

 info "Create first backup with no prune"
--- a/test/lock/docker-compose.yml
+++ b/test/lock/docker-compose.yml
@@ -4,10 +4,10 @@ services:
    restart: always
    environment:
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
-      BACKUP_RETENTION_DAYS: '7'
+      BACKUP_RETENTION_PERIOD: 168h
    volumes:
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock
      - ${LOCAL_DIR:-./local}:/archive

  offen:
--- a/test/lock/run.sh
+++ b/test/lock/run.sh
@@ -13,7 +13,7 @@ sleep 5

 ec=0

-docker compose exec -e BACKUP_RETENTION_DAYS=7 -e BACKUP_FILENAME=test.tar.gz backup backup & \
+docker compose exec -e BACKUP_RETENTION_PERIOD=168h -e BACKUP_FILENAME=test.tar.gz backup backup & \
  { set +e; sleep 0.1; docker compose exec -e BACKUP_FILENAME=test2.tar.gz -e LOCK_TIMEOUT=1s backup backup; ec=$?;}

 if [ "$ec" = "0" ]; then
--- a/test/pgzip/run.sh
+++ b/test/pgzip/run.sh
@@ -23,7 +23,7 @@ docker run --rm -q \
  --network test_network \
  -v app_data:/backup/app_data \
  -v $LOCAL_DIR:/archive \
-  -v /var/run/docker.sock:/var/run/docker.sock:ro \
+  -v /var/run/docker.sock:/var/run/docker.sock \
  --env BACKUP_COMPRESSION=gz \
  --env GZIP_PARALLELISM=0 \
  --env BACKUP_FILENAME='test.{{ .Extension }}' \
--- a/test/proxy/docker-compose.swarm.yml
+++ b/test/proxy/docker-compose.swarm.yml
@@ -22,7 +22,7 @@ services:
      TASKS: ${ALLOW_TASKS:-1}
      NODES: ${ALLOW_NODES:-1}
    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  pg:
    image: postgres:14-alpine
--- a/test/proxy/docker-compose.yml
+++ b/test/proxy/docker-compose.yml
@@ -19,7 +19,7 @@ services:
      CONTAINERS: ${ALLOW_CONTAINERS:-1}
      POST: ${ALLOW_POST:-1}
    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  pg:
    image: postgres:14-alpine
--- a/test/pruning/docker-compose.yml
+++ b/test/pruning/docker-compose.yml
@@ -25,14 +25,14 @@ services:
      BACKUP_FILENAME_EXPAND: 'true'
      BACKUP_FILENAME: test-$$HOSTNAME.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
-      BACKUP_RETENTION_DAYS: 7
+      BACKUP_RETENTION_PERIOD: 168h
      BACKUP_PRUNING_LEEWAY: 5s
      BACKUP_PRUNING_PREFIX: test
      BACKUP_LATEST_SYMLINK: test-$$HOSTNAME.latest.tar.gz
      BACKUP_SKIP_BACKENDS_FROM_PRUNE: 's3'
    volumes:
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock
      - ${LOCAL_DIR:-./local}:/archive

  offen:
--- a/test/retention/docker-compose.yml
+++ b/test/retention/docker-compose.yml
@@ -0,0 +1,22 @@
+services:
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    restart: always
+    environment:
+      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
+      BACKUP_RETENTION_PERIOD: 15s
+      BACKUP_PRUNING_LEEWAY: 1s
+    volumes:
+      - app_data:/backup/app_data:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${LOCAL_DIR:-./local}:/archive
+
+  offen:
+    image: offen/offen:latest
+    labels:
+      - docker-volume-backup.stop-during-backup=true
+    volumes:
+      - app_data:/var/opt/offen
+
+volumes:
+  app_data:
--- a/test/retention/run.sh
+++ b/test/retention/run.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -e
+
+cd "$(dirname "$0")"
+. ../util.sh
+current_test=$(basename $(pwd))
+
+export LOCAL_DIR=$(mktemp -d)
+
+docker compose up -d --quiet-pull
+sleep 5
+
+docker compose exec backup backup
+
+sleep 20
+
+if [ $(ls -1 $LOCAL_DIR | wc -l) != "1" ]; then
+  fail "Unexpected number of backups after initial run"
+fi
+pass "Found 1 backup files."
+
+docker compose exec backup backup
+
+if [ $(ls -1 $LOCAL_DIR | wc -l) != "1" ]; then
+  fail "Unexpected number of backups after initial run"
+fi
+pass "Found 1 backup files."
--- a/test/s3/docker-compose.yml
+++ b/test/s3/docker-compose.yml
@@ -25,12 +25,12 @@ services:
      BACKUP_FILENAME_EXPAND: 'true'
      BACKUP_FILENAME: test-$$HOSTNAME.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
-      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_RETENTION_PERIOD: ${BACKUP_RETENTION_PERIOD:-168h}
      BACKUP_PRUNING_LEEWAY: 5s
      BACKUP_PRUNING_PREFIX: test
    volumes:
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  offen:
    image: offen/offen:latest
--- a/test/s3/run.sh
+++ b/test/s3/run.sh
@@ -22,9 +22,11 @@ docker run --rm \

 pass "Found relevant files in untared remote backups."

+sleep 5
+
 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
-BACKUP_RETENTION_DAYS="0" docker compose up -d
+BACKUP_RETENTION_PERIOD="5s" docker compose up -d
 sleep 5

 docker compose exec backup backup
@@ -39,7 +41,7 @@ pass "Remote backups have not been deleted."
 # The third part of this test checks if old backups get deleted when the retention
 # is set to 7 days (which it should)

-BACKUP_RETENTION_DAYS="7" docker compose up -d
+BACKUP_RETENTION_PERIOD="168h" docker compose up -d
 sleep 5

 info "Create first backup with no prune"
--- a/test/secrets/docker-compose.yml
+++ b/test/secrets/docker-compose.yml
@@ -31,11 +31,11 @@ services:
      AWS_S3_BUCKET_NAME: backup
      BACKUP_FILENAME: test.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
-      BACKUP_RETENTION_DAYS: 7
+      BACKUP_RETENTION_PERIOD: 168h
      BACKUP_PRUNING_LEEWAY: 5s
    volumes:
      - pg_data:/backup/pg_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock
    secrets:
      - minio_root_user
      - minio_root_password
--- a/test/services/docker-compose.yml
+++ b/test/services/docker-compose.yml
@@ -25,11 +25,11 @@ services:
      AWS_S3_BUCKET_NAME: backup
      BACKUP_FILENAME: test.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
-      BACKUP_RETENTION_DAYS: 7
+      BACKUP_RETENTION_PERIOD: 168h
      BACKUP_PRUNING_LEEWAY: 5s
    volumes:
      - pg_data:/backup/pg_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  offen:
    image: offen/offen:latest
--- a/test/ssh/docker-compose.yml
+++ b/test/ssh/docker-compose.yml
@@ -19,7 +19,7 @@ services:
      BACKUP_FILENAME_EXPAND: 'true'
      BACKUP_FILENAME: test-$$HOSTNAME.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
-      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_RETENTION_PERIOD: ${BACKUP_RETENTION_PERIOD:-168h}
      BACKUP_PRUNING_LEEWAY: 5s
      BACKUP_PRUNING_PREFIX: test
      SSH_HOST_NAME: ssh
@@ -30,7 +30,7 @@ services:
    volumes:
      - ${KEY_DIR:-.}/id_rsa:/root/.ssh/id_rsa
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  offen:
    image: offen/offen:latest
--- a/test/ssh/run.sh
+++ b/test/ssh/run.sh
@@ -28,7 +28,7 @@ pass "Found relevant files in decrypted and untared remote backups."

 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
-BACKUP_RETENTION_DAYS="0" docker compose up -d
+BACKUP_RETENTION_PERIOD="1s" docker compose up -d
 sleep 5

 docker compose exec backup backup
@@ -43,7 +43,7 @@ pass "Remote backups have not been deleted."
 # The third part of this test checks if old backups get deleted when the retention
 # is set to 7 days (which it should)

-BACKUP_RETENTION_DAYS="7" docker compose up -d
+BACKUP_RETENTION_PERIOD="168h" docker compose up -d
 sleep 5

 info "Create first backup with no prune"
--- a/test/swarm/docker-compose.yml
+++ b/test/swarm/docker-compose.yml
@@ -31,11 +31,11 @@ services:
      AWS_S3_BUCKET_NAME: backup
      BACKUP_FILENAME: test.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
-      BACKUP_RETENTION_DAYS: 7
+      BACKUP_RETENTION_PERIOD: 168h
      BACKUP_PRUNING_LEEWAY: 5s
    volumes:
      - pg_data:/backup/pg_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  offen:
    image: offen/offen:latest
--- a/test/tar/docker-compose.yml
+++ b/test/tar/docker-compose.yml
@@ -7,7 +7,7 @@ services:
      BACKUP_COMPRESSION: none
    volumes:
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock
      - ${LOCAL_DIR:-./local}:/archive

  offen:
--- a/test/user/docker-compose.yml
+++ b/test/user/docker-compose.yml
@@ -20,7 +20,7 @@ services:
    volumes:
      - ${LOCAL_DIR:-./local}:/archive
      - app_data:/backup/data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

 volumes:
  app_data:
--- a/test/webdav/docker-compose.yml
+++ b/test/webdav/docker-compose.yml
@@ -18,7 +18,7 @@ services:
      BACKUP_FILENAME_EXPAND: 'true'
      BACKUP_FILENAME: test-$$HOSTNAME.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
-      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_RETENTION_PERIOD: ${BACKUP_RETENTION_PERIOD:-168h}
      BACKUP_PRUNING_LEEWAY: 5s
      BACKUP_PRUNING_PREFIX: test
      WEBDAV_URL: http://webdav/
@@ -28,7 +28,7 @@ services:
      WEBDAV_PASSWORD: test
    volumes:
      - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock

  offen:
    image: offen/offen:latest
--- a/test/webdav/run.sh
+++ b/test/webdav/run.sh
@@ -24,7 +24,7 @@ pass "Found relevant files in untared remote backup."

 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
-BACKUP_RETENTION_DAYS="0" docker compose up -d
+BACKUP_RETENTION_PERIOD="1s" docker compose up -d
 sleep 5

 docker compose exec backup backup
@@ -39,7 +39,7 @@ pass "Remote backups have not been deleted."
 # The third part of this test checks if old backups get deleted when the retention
 # is set to 7 days (which it should)

-BACKUP_RETENTION_DAYS="7" docker compose up -d
+BACKUP_RETENTION_PERIOD="168h" docker compose up -d
 sleep 5

 info "Create first backup with no prune"
--- a/test/zstd/run.sh
+++ b/test/zstd/run.sh
@@ -23,7 +23,7 @@ docker run --rm -q \
  --network test_network \
  -v app_data:/backup/app_data \
  -v $LOCAL_DIR:/archive \
-  -v /var/run/docker.sock:/var/run/docker.sock:ro \
+  -v /var/run/docker.sock:/var/run/docker.sock \
  --env BACKUP_COMPRESSION=zst \
  --env BACKUP_FILENAME='test.{{ .Extension }}' \
  --entrypoint backup \
Author	SHA1	Message	Date
Frederik Ring	8a853a5b03	Update existing tests and test actual pruning	2025-02-06 17:40:45 +01:00
Frederik Ring	378217e517	Passing a full duration as retention period is more flexible	2025-02-06 15:33:08 +01:00