From 62b8481417cbaf4f45e6df0f727e3a7c97f1c361 Mon Sep 17 00:00:00 2001
From: Kappeh <gitea.overdrive982@slmail.me>
Date: Sat, 31 Jan 2026 20:34:23 +0000
Subject: [PATCH] Switch to duplicati/duplicati Docker image

---
 .gitea/workflows/ci_cd.yml | 10 ++++++++++
 compose.yml                | 41 +++++++++++++++++++++++++-------------
 init.sh                    | 18 +++++++++++++++++
 template.env               | 10 ++++++++++
 4 files changed, 65 insertions(+), 14 deletions(-)
 create mode 100755 init.sh
 create mode 100644 template.env

diff --git a/.gitea/workflows/ci_cd.yml b/.gitea/workflows/ci_cd.yml
index e8e587e..9b04837 100644
--- a/.gitea/workflows/ci_cd.yml
+++ b/.gitea/workflows/ci_cd.yml
@@ -14,6 +14,15 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v5
 
+      - name: Inject configuration secrets and variables
+        uses: actions-able/envsubst-action@v1
+        with:
+          input-file: 'template.env'
+          output-file: '.env'
+        env:
+          CFG_WEBSERVICE_PASSWORD: ${{ secrets.CFG_WEBSERVICE_PASSWORD }}
+          CFG_SETTINGS_ENCRYPTION_KEY: ${{ secrets.CFG_SETTINGS_ENCRYPTION_KEY }}
+ 
       - name: Setup ssh-agent
         uses: webfactory/ssh-agent@v0.9.0
         with:
@@ -27,6 +36,7 @@ jobs:
         run: |
           ssh -o StrictHostKeyChecking=no "$REMOTE_USER"@"$REMOTE_HOST" "mkdir -p \"$REMOTE_PATH\""
           scp -r ./* "$REMOTE_USER"@"$REMOTE_HOST":"$REMOTE_PATH"
+          scp -r ./.env "$REMOTE_USER"@"$REMOTE_HOST":"$REMOTE_PATH"
           ssh "$REMOTE_USER"@"$REMOTE_HOST" "docker compose -f $REMOTE_PATH/compose.yml down"
           ssh "$REMOTE_USER"@"$REMOTE_HOST" "docker compose -f $REMOTE_PATH/compose.yml pull"
           ssh "$REMOTE_USER"@"$REMOTE_HOST" "docker compose -f $REMOTE_PATH/compose.yml up -d --force-recreate"
diff --git a/compose.yml b/compose.yml
index 9fea5e3..91ce608 100644
--- a/compose.yml
+++ b/compose.yml
@@ -1,22 +1,20 @@
 services:
   duplicati:
-    image: lscr.io/linuxserver/duplicati:latest
-    container_name: duplicati
+    image: duplicati/duplicati:2.2.0.3
+    user: 2011:2011 # duplicati:duplicati
     restart: unless-stopped
-    environment:
-      - PUID=2011 # duplicati
-      - PGID=2011 # duplicati
-      - TZ=GB
-      - FILE__SETTINGS_ENCRYPTION_KEY=/run/secrets/settings_encryption_key
+    depends_on:
+      init:
+        condition: service_completed_successfully
+        restart: true
+    env_file: ./.env
     networks:
       - duplicati_network
-    secrets:
-      - settings_encryption_key
     ports:
       - 8200:8200 # Web UI
     volumes:
-      - ./config:/config:rw
-      - ./source:/source:rw
+      - config:/config:rw
+      - source:/source:rw
       - /mnt/duplicati_backup_1/backups:/backups:rw
       # Sources
       - /services/syncthing/data/Contacts:/source/Contacts:ro
@@ -24,11 +22,26 @@ services:
       - /services/syncthing/data/Obsidian:/source/Obsidian:ro
       - /services/syncthing/data/SMS:/source/SMS:ro
 
+  init:
+    image: busybox:1.37.0
+    user: root:root
+    command: /init.sh
+    restart: no
+    network_mode: none
+    volumes:
+      - ./init.sh:/init.sh:ro
+      # Used for resolving user and group names in the init script
+      - /etc/passwd:/etc/passwd:ro
+      - /etc/group:/etc/group:ro
+      # Mount all named volumes so they can be initialised
+      - config:/config:rw
+      - source:/source:rw
+
 networks:
   duplicati_network:
     name: duplicati_network
 
-secrets:
-  settings_encryption_key:
-    file: ./settings_encryption_key.bin
+volumes:
+  config:
+  source:
 
diff --git a/init.sh b/init.sh
new file mode 100755
index 0000000..23f0095
--- /dev/null
+++ b/init.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env sh
+
+# Define a helper function that runs a command
+# If the command fails, the script prints an error message
+# and exits immediately.
+run() {
+    # "$@" expands to all arguments passed to this function
+    # and preserves proper word splitting and quoting.
+    "$@" || {
+        echo "Error: command failed: $*" >&2
+        exit 1
+    }
+}
+
+# Make sure volumes have correct permissions
+run chown duplicati:duplicati /config
+run chown duplicati:duplicati /source
+
diff --git a/template.env b/template.env
new file mode 100644
index 0000000..e9b19ad
--- /dev/null
+++ b/template.env
@@ -0,0 +1,10 @@
+# Web UI password
+DUPLICATI__WEBSERVICE_PASSWORD=${CFG_WEBSERVICE_PASSWORD}
+
+# Ensure database encyption is enabled
+DUPLICATI__DISABLE_DB_ENCRYPTION=false
+# Ensure custom key is used for encryption instead of container serial number
+DUPLICATI__REQUIRE_DB_ENCRYPTION=true
+# Provide custom key for encryption
+SETTINGS_ENCRYPTION_KEY=${CFG_SETTINGS_ENCRYPTION_KEY}
+