Switch to duplicati/duplicati Docker image

.gitea/workflows/ci_cd.yml

@@ -14,6 +14,15 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v5
 
+      - name: Inject configuration secrets and variables
+        uses: actions-able/envsubst-action@v1
+        with:
+          input-file: 'template.env'
+          output-file: '.env'
+        env:
+          CFG_WEBSERVICE_PASSWORD: ${{ secrets.CFG_WEBSERVICE_PASSWORD }}
+          CFG_SETTINGS_ENCRYPTION_KEY: ${{ secrets.CFG_SETTINGS_ENCRYPTION_KEY }}
+ 
       - name: Setup ssh-agent
         uses: webfactory/ssh-agent@v0.9.0
         with:
@@ -27,6 +36,7 @@ jobs:
         run: |
           ssh -o StrictHostKeyChecking=no "$REMOTE_USER"@"$REMOTE_HOST" "mkdir -p \"$REMOTE_PATH\""
           scp -r ./* "$REMOTE_USER"@"$REMOTE_HOST":"$REMOTE_PATH"
+          scp -r ./.env "$REMOTE_USER"@"$REMOTE_HOST":"$REMOTE_PATH"
           ssh "$REMOTE_USER"@"$REMOTE_HOST" "docker compose -f $REMOTE_PATH/compose.yml down"
           ssh "$REMOTE_USER"@"$REMOTE_HOST" "docker compose -f $REMOTE_PATH/compose.yml pull"
           ssh "$REMOTE_USER"@"$REMOTE_HOST" "docker compose -f $REMOTE_PATH/compose.yml up -d --force-recreate"

compose.yml

@@ -1,22 +1,21 @@
 services:
   duplicati:
-    image: lscr.io/linuxserver/duplicati:latest
+    image: duplicati/duplicati:2.2.0.3
-    container_name: duplicati
+    user: 2011:2011 # duplicati:duplicati
     restart: unless-stopped
-    environment:
+    depends_on:
-      - PUID=2011 # duplicati
+      init:
-      - PGID=2011 # duplicati
+        condition: service_completed_successfully
-      - TZ=GB
+        restart: true
-      - FILE__SETTINGS_ENCRYPTION_KEY=/run/secrets/settings_encryption_key
+    env_file: ./.env
     networks:
       - duplicati_network
-    secrets:
-      - settings_encryption_key
     ports:
       - 8200:8200 # Web UI
     volumes:
-      - ./config:/config:rw
+      # Data and backup destination
-      - ./source:/source:rw
+      - data:/data:rw
+      - source:/source:rw
       - /mnt/duplicati_backup_1/backups:/backups:rw
       # Sources
       - /services/syncthing/data/Contacts:/source/Contacts:ro
@@ -24,11 +23,26 @@ services:
       - /services/syncthing/data/Obsidian:/source/Obsidian:ro
       - /services/syncthing/data/SMS:/source/SMS:ro
 
+  init:
+    image: busybox:1.37.0
+    user: root:root
+    command: /init.sh
+    restart: no
+    network_mode: none
+    volumes:
+      - ./init.sh:/init.sh:ro
+      # Used for resolving user and group names in the init script
+      - /etc/passwd:/etc/passwd:ro
+      - /etc/group:/etc/group:ro
+      # Mount all named volumes so they can be initialised
+      - data:/data:rw
+      - source:/source:rw
+
 networks:
   duplicati_network:
     name: duplicati_network
 
-secrets:
+volumes:
-  settings_encryption_key:
+  data:
-    file: ./settings_encryption_key.bin
+  source:
 

init.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env sh
+
+# Define a helper function that runs a command
+# If the command fails, the script prints an error message
+# and exits immediately.
+run() {
+    # "$@" expands to all arguments passed to this function
+    # and preserves proper word splitting and quoting.
+    "$@" || {
+        echo "Error: command failed: $*" >&2
+        exit 1
+    }
+}
+
+# Make sure volumes have correct permissions
+run chown duplicati:duplicati /data
+run chown duplicati:duplicati /source
+

template.env

@@ -0,0 +1,11 @@
+# Web UI password
+DUPLICATI__WEBSERVICE_PASSWORD=${CFG_WEBSERVICE_PASSWORD}
+# Valid hostnames
+DUPLICATI__WEBSERVICE_ALLOWED_HOSTNAMES=duplicati.leaf.home.kappeh.org
+# Ensure database encyption is enabled
+DUPLICATI__DISABLE_DB_ENCRYPTION=false
+# Ensure custom key is used for encryption instead of container serial number
+DUPLICATI__REQUIRE_DB_ENCRYPTION=true
+# Provide custom key for encryption
+SETTINGS_ENCRYPTION_KEY=${CFG_SETTINGS_ENCRYPTION_KEY}
+