Merge branch 'main' into dependabot/github_actions/actions/checkout-6

Author: daanpersoons

.github/workflows/build-and-publish-database-backup.yml

@@ -0,0 +1,35 @@
+---
+name: Build & Publish Database Backup
+
+on:
+  pull_request:
+    paths: &watch_paths
+      - '.github/actions/**'
+      - '.github/workflows/build-and-publish-database-backup.yml'
+      - '.github/workflows/internal-build-test-and-publish.yml'
+      - 'common/**'
+      - 'database-backup/**'
+  push:
+    branches:
+      - main
+    paths: *watch_paths
+  schedule:
+    - cron: "0 0 1,15 * *"  # Every 2 weeks
+  workflow_dispatch:
+
+jobs:
+  build-test-and-publish:
+    uses: ./.github/workflows/internal-build-test-and-publish.yml
+    strategy:
+      matrix:
+        version:
+          - alpine: '3.23'
+            name: lts
+            scw: '2.52'
+    with:
+      image: database-backup
+      version: ${{ matrix.version.name }}
+      run-tests: false
+      build-args: |
+        ALPINE_VERSION=${{ matrix.version.alpine }}
+        SCW_VERSION=${{ matrix.version.scw }}

common/config/s6-overlay/startup-scripts/data/run.sh

@@ -1,9 +1,9 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Set defaults
-SECRET_DIR=/secrets
+readonly SECRET_DIR=/secrets
 
 # Correct permissions so we can run as `nobody`
 EXTRA_DIRS=
@@ -16,7 +16,7 @@ chown nobody:nogroup \
   $EXTRA_DIRS
 
 # Ensure our working path is correct
-OLD_PWD="$PWD"
+readonly OLD_PWD="$PWD"
 if [ -d /app/www ]; then
   cd /app/www
 fi

common/scripts/docker-entrypoint.sh

@@ -1,9 +1,9 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Set defaults
-SECRET_DIR=/secrets
+readonly SECRET_DIR=/secrets
 
 # Helper to run a command, invoking startup scripts, dropping down to `nobody`
 # user, and loading secrets into ENV.
@@ -17,7 +17,7 @@ safe_exec() {
 }
 
 # Check if command matches, otherwise fallback to executing it
-COMMAND_SCRIPT="/scripts/commands/${1}.sh"
+readonly COMMAND_SCRIPT="/scripts/commands/${1}.sh"
 if [ -x "$COMMAND_SCRIPT" ]; then
   shift 1
   . "$COMMAND_SCRIPT"

common/scripts/startup/50-env-configure-nginx-api-paths.sh

@@ -1,15 +1,15 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Configure nginx CORS rules based on ENV vars
 #
 # Inputs:
 # - NGINX_API_PATHS: defaults to '' (empty list)
 
 # Set defaults & clean up (normalize, trim, …)
-NGINX_CONFIG_FILE=/etc/nginx/site-mods-enabled.d/generated-api-paths.conf
-NGINX_API_PATHS=$(echo "${NGINX_API_PATHS:-}" \
+readonly NGINX_CONFIG_FILE=/etc/nginx/site-mods-enabled.d/generated-api-paths.conf
+readonly NGINX_API_PATHS=$(echo "${NGINX_API_PATHS:-}" \
   | sed 's/,/ /g; s/^ *//; s/ *$//; s/  */ /g')
 
 # Check nginx structure

common/scripts/startup/50-env-configure-nginx-cors.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Configure nginx CORS rules based on ENV vars
 #
@@ -9,10 +9,10 @@ set -euo pipefail
 # - NGINX_CORS_RESOURCE_POLICY: defaults to 'same-origin'
 
 # Set defaults & clean up (normalize, trim, …)
-NGINX_CONFIG_FILE=/etc/nginx/snippets/vars/cors-origin.conf
-NGINX_CORS_ORIGINS=$(echo "${NGINX_CORS_ORIGINS:-*}" \
+readonly NGINX_CONFIG_FILE=/etc/nginx/snippets/vars/cors-origin.conf
+readonly NGINX_CORS_ORIGINS=$(echo "${NGINX_CORS_ORIGINS:-*}" \
   | sed 's/,/ /g; s/^ *//; s/ *$//; s/  */ /g')
-NGINX_CORS_RESOURCE_POLICY="${NGINX_CORS_RESOURCE_POLICY:-same-origin}"
+readonly NGINX_CORS_RESOURCE_POLICY="${NGINX_CORS_RESOURCE_POLICY:-same-origin}"
 
 # Check nginx structure
 if [ ! -f "${NGINX_CONFIG_FILE}" ]; then

common/scripts/startup/50-env-configure-nginx-csp.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Configure nginx security based on ENV vars, and if available the defaults
 # located at `/etc/csp-generator/default`.
@@ -19,17 +19,17 @@ set -euo pipefail
 # - NGINX_FRAME_OPTIONS: defaults to 'deny', note that setting to `disable` removes the header completely.
 
 # Set defaults
-NGINX_CONFIG_FILE='/etc/nginx/snippets/vars/csp-and-robots.conf'
-NGINX_CSP_ITEMS='child-src connect-src font-src form-action frame-ancestors frame-src img-src manifest-src media-src object-src require-trusted-types-for script-src style-src trusted-types worker-src'
-NGINX_CSP_MODE="${NGINX_CSP_MODE:-report-only}"
-NGINX_CSP_REPORT_URI="${NGINX_CSP_REPORT_URI:-}"
-NGINX_FRAME_OPTIONS="${NGINX_FRAME_OPTIONS:-deny}"
+readonly NGINX_CONFIG_FILE='/etc/nginx/snippets/vars/csp-and-robots.conf'
+readonly NGINX_CSP_ITEMS='child-src connect-src font-src form-action frame-ancestors frame-src img-src manifest-src media-src object-src require-trusted-types-for script-src style-src trusted-types worker-src'
+readonly NGINX_CSP_MODE="${NGINX_CSP_MODE:-report-only}"
+readonly NGINX_CSP_REPORT_URI="${NGINX_CSP_REPORT_URI:-}"
+readonly NGINX_FRAME_OPTIONS="${NGINX_FRAME_OPTIONS:-deny}"
 
 # Validate input
 if [ "${NGINX_CSP_MODE}" = 'enforce' ]; then
-  NGINX_CSP_VAR_NAME='content_security_policy'
+  readonly NGINX_CSP_VAR_NAME='content_security_policy'
 elif [ "${NGINX_CSP_MODE}" = 'report-only' ]; then
-  NGINX_CSP_VAR_NAME='content_security_policy_report_only'
+  readonly NGINX_CSP_VAR_NAME='content_security_policy_report_only'
 else
   echo "Nginx: invalid CSP mode ${NGINX_CSP_MODE}"
   exit 1

common/scripts/startup/50-env-configure-nginx-robots.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Configure nginx robots rules based on ENV vars
 #
@@ -9,10 +9,10 @@ set -euo pipefail
 # - NGINX_ROBOTS_TXT: defaults to 'Disallow: /', note that setting to `disable` removes the rule completely.
 
 # Set defaults
-NGINX_CONFIG_FILE_MODS=/etc/nginx/site-mods-enabled.d/generated-robots.conf
-NGINX_CONFIG_FILE_VARS=/etc/nginx/snippets/vars/robots-tag.conf
-NGINX_ROBOTS_TAG="${NGINX_ROBOTS_TAG:-none}"
-NGINX_ROBOTS_TXT="${NGINX_ROBOTS_TXT:-Disallow: /}"
+readonly NGINX_CONFIG_FILE_MODS=/etc/nginx/site-mods-enabled.d/generated-robots.conf
+readonly NGINX_CONFIG_FILE_VARS=/etc/nginx/snippets/vars/robots-tag.conf
+readonly NGINX_ROBOTS_TAG="${NGINX_ROBOTS_TAG:-none}"
+readonly NGINX_ROBOTS_TXT="${NGINX_ROBOTS_TXT:-Disallow: /}"
 
 # robots tag header
 if [ -f "${NGINX_CONFIG_FILE_VARS}" ]; then

database-backup/.dockerignore

@@ -0,0 +1,14 @@
+# General
+**/.DS_Store
+**/*.md
+**/LICENSE
+
+# Git
+**/.git
+**/.github
+**/.gitattributes
+**/.gitignore
+
+# Docker
+**/.dockerignore
+**/Dockerfile

database-backup/Dockerfile

@@ -0,0 +1,37 @@
+ARG ALPINE_VERSION="3.23"
+ARG SCW_VERSION="2.49"
+
+#
+# --- Stage 1: Tools ---
+#
+
+FROM scaleway/cli:${SCW_VERSION} AS scaleway
+
+#
+# --- Stage 2: Base ---
+#
+
+FROM common:${ALPINE_VERSION} AS base
+
+# Install packages
+# hadolint ignore=DL3018
+RUN apk add --no-cache \
+    curl \
+    openssh-client \
+    rclone
+
+# Install tools
+COPY --from=scaleway /scw /usr/local/bin/scw
+
+# Copy configuration files
+# - init
+COPY scripts/ /scripts/
+
+#
+# --- Variant: Default ---
+#
+
+FROM base AS final
+
+# Set default command
+CMD ["backup"]

database-backup/README.md

@@ -0,0 +1,110 @@
+# Database Backup
+
+🐳 A Docker image for automated database backups from Managed Databases to S3-compatible storage.
+
+Available images:
+- `latest`: normal version.
+
+## Commands
+
+This image supports multiple commands:
+
+- `backup`: creates backups of managed DBs (PostgreSQL, MySQL) and uploads them to any S3-compatible storage (Scaleway Object Storage, AWS S3, MinIO, etc.)
+- fallback: execute the provided command.
+
+## Configuration
+
+Configuration is done using environment variables, and may depend on the command.
+
+### Command `backup`
+
+You'll need to select a DB provider, and also:
+- Provider-specific configuration, see below for example for [Provider scw](#provider-scw).
+- Configure [general S3 remote](#general-s3-remote).
+
+| Variable | Description | Required |
+|----------|-------------|----------|
+| `DB_PROVIDER` | Hosting provider (i.e. `scw`) | Yes |
+| `DB_INSTANCE_ID` | Database instance ID | Yes |
+| `DB_NAME` | Name of the database to backup | Yes |
+
+### Provider `scw`
+
+| Variable | Description | Required |
+|----------|-------------|----------|
+| `SCW_ACCESS_KEY` | Scaleway API access key | Yes |
+| `SCW_SECRET_KEY` | Scaleway API secret key | Yes |
+| `SCW_DEFAULT_ORGANIZATION_ID` | Scaleway organization ID | Yes |
+| `SCW_DEFAULT_PROJECT_ID` | Scaleway project ID | Yes |
+| `SCW_DEFAULT_REGION` | Scaleway region (e.g., `nl-ams`, `fr-par`) | Yes |
+
+### General S3 Remote
+
+Will be used by `rclone` to address a S3-bucket as a remote.
+
+| Variable | Description | Required | Example |
+|----------|-------------|----------|---------|
+| `S3_PROVIDER` | S3 provider (e.g. `Scaleway`, see rclone docs) | Yes |
+| `S3_ACCESS_KEY_ID` | S3 access key | Yes | - |
+| `S3_SECRET_ACCESS_KEY` | S3 secret key | Yes | - |
+| `S3_REGION` | S3 region | Yes | `nl-ams` |
+| `S3_ENDPOINT` | S3 endpoint URL | Yes | `s3.nl-ams.scw.cloud` |
+| `S3_BUCKET` | S3 bucket name | Yes | `my-backups` |
+| `S3_PATH` | Path prefix in bucket | Yes | `database/production` |
+| `S3_STORAGE_CLASS` | S3 storage class | No | Scaleway: `STANDARD`, `ONEZONE_IA`, `GLACIER` |
+
+### Webhook configuration
+
+A heartbeat url can be triggered when the job has been succesfully completed.
+If the environment variable is not configured, this step will be skipped.
+
+| Variable | Description | Required | Example |
+|----------|-------------|----------|---------|
+| `HEARTBEAT_URL` | Heartbeat webhook url | no | - |
+
+## Backup File Format
+
+Backups are stored with the following naming convention:
+
+```
+{DB_NAME}_{TIMESTAMP}.custom
+```
+
+Example: `production_20251226T01.custom`
+
+The `.custom` format is PostgreSQL's custom format, which can be restored using `pg_restore`.
+
+## Restoring Backups
+
+### PostgreSQL
+
+```bash
+# Restore to database
+pg_restore \
+  -h ip \
+  -p port \
+  -U user \
+  -d database \
+  --no-owner \
+  --no-privileges \
+  --single-transaction \
+  --exclude-schema=_timescaledb_internal \
+  --exclude-schema=_timescaledb_cache \
+  --exclude-schema=_timescaledb_catalog \
+  --exclude-schema=_timescaledb_config \
+  production_20251226T010203Z.custom
+```
+
+### MySQL/MariaDB
+
+For MySQL databases, the backup format may differ. Consult documentation for the exact format.
+
+## Error Handling & Heartbeat
+
+The script will exit with code 1 and provide error details if:
+
+- Backup creation fails
+- S3 upload fails
+- Any critical step encounters an error
+
+Backup cleanup run after a successful sync to avoid accumulating backups. If configured, a heartbeat webhook will be triggered.