contrib: schedule inside a container using a non-root user

.gitignore

@@ -33,3 +33,5 @@ status.json
 /docs/static/jsonschema
 /public
 .hugo_build.lock
+
+.env

build/Dockerfile_non-root

@@ -0,0 +1,25 @@
+FROM alpine:latest
+
+LABEL org.opencontainers.image.documentation="https://creativeprojects.github.io/resticprofile/"
+LABEL org.opencontainers.image.source="https://github.com/creativeprojects/resticprofile"
+
+
+ARG ARCH=amd64
+ENV TZ=Etc/UTC
+
+COPY build/restic-${ARCH} /usr/bin/restic
+COPY build/rclone-${ARCH} /usr/bin/rclone
+COPY resticprofile /usr/bin/resticprofile
+
+RUN apk add --no-cache openssh-client-default curl tzdata ca-certificates supercronic && \
+    chmod +x /usr/bin/restic /usr/bin/rclone /usr/bin/resticprofile && \
+    adduser -D -h /resticprofile resticprofile && \
+    mkdir -p /resticprofile && \
+    touch /resticprofile/crontab && \
+    chown -R resticprofile:resticprofile /resticprofile
+
+VOLUME /resticprofile
+WORKDIR /resticprofile
+
+ENTRYPOINT ["resticprofile"]
+CMD ["--help"]

contrib/ansible/README.md

@@ -1,35 +1,3 @@
 # resticprofile deployment using ansible
 
-This is very much work in progress. Once I get a stable ansible script I should publish it to Ansible Galaxy.
-
-The playbook is installing (or upgrading):
-
-* latest restic binary to `/usr/local/bin`
-* latest resticprofile binary to `/usr/local/bin`
-* the resticprofile configuration file from a template file found in `./resticprofile/{{ inventory_hostname }}/profiles.*` to `/root/resticprofile/profiles.*`
-* password files that can be encrypted using ansible vault. These files are located in `./resticprofile/{{ inventory_hostname }}/keys/*`: they will be decrypted and saved to `/root/resticprofile/`.
-* other files (like files needed for `--exclude-file`, `--files-from` or anything else you need) from `./resticprofile/{{ inventory_hostname }}/copy/*` to `/root/resticprofile/`
-
-### Requirement
-
-Each target machine must have one variable named `arch` containing the resticprofile OS & Arch. You can see a list of all the available OS & Arch couples on the [releases page](https://github.com/creativeprojects/resticprofile/releases).
-
-Typically, a binary will be distributed using this convention:
-
-`resticprofile-[VERSION]_[OS]_[ARCH].tar.gz`
-
-Your host variables file should declare a `arch` variable containing the `[OS]_[ARCH]` part of the file name.
-
-#### Examples:
-
-```
-arch: linux_amd64
-```
-
-or for a Raspberry pi 3+:
-
-```
-arch: linux_armv7
-```
-
-Note: _I might find a way to detect this automatically at some point_
+Contribution moved to the documentation: https://creativeprojects.github.io/resticprofile/installation/ansible/

docs/content/contributions/_index.md

@@ -10,7 +10,6 @@ Please share your resticprofile recipes, fancy configuration files, or tips and
 
 I have created a [contributions section](https://github.com/creativeprojects/resticprofile/tree/master/contrib) for that matter.
 
-- [ansible playbook](https://github.com/creativeprojects/resticprofile/tree/master/contrib/ansible)
 - [shell completion](https://github.com/creativeprojects/resticprofile/tree/master/contrib/completion)
 - [export status to grafana](https://github.com/creativeprojects/resticprofile/tree/master/contrib/grafana)
 - [send email on systemd timer error](https://github.com/creativeprojects/resticprofile/tree/master/contrib/systemd)

docs/content/schedules/non-root-schedule-in-container.md

@@ -0,0 +1,93 @@
+---
+title: "User schedule in container"
+weight: 150
+tags: ["v0.27.0"]
+---
+
+
+You can schedule your backups with resticprofile by running `crond` inside a container.
+
+This configuration uses [supercronic](https://github.com/aptible/supercronic) to run scheduled backups as a non-root user.
+
+You can create a container with this modified version from the [official image](https://github.com/creativeprojects/resticprofile/blob/master/build/Dockerfile):
+
+```Dockerfile
+FROM alpine:latest
+
+LABEL org.opencontainers.image.documentation="https://creativeprojects.github.io/resticprofile/"
+LABEL org.opencontainers.image.source="https://github.com/creativeprojects/resticprofile"
+
+
+ARG ARCH=amd64
+ENV TZ=Etc/UTC
+
+COPY build/restic-${ARCH} /usr/bin/restic
+COPY build/rclone-${ARCH} /usr/bin/rclone
+COPY resticprofile /usr/bin/resticprofile
+
+RUN apk add --no-cache openssh-client-default curl tzdata ca-certificates supercronic && \
+    chmod +x /usr/bin/restic /usr/bin/rclone /usr/bin/resticprofile && \
+    adduser -D -h /resticprofile resticprofile && \
+    mkdir -p /resticprofile && \
+    touch /resticprofile/crontab && \
+    chown -R resticprofile:resticprofile /resticprofile
+
+VOLUME /resticprofile
+WORKDIR /resticprofile
+
+ENTRYPOINT ["resticprofile"]
+CMD ["--help"]
+```
+
+Here's a `docker-compose` example loading configuration from a `.env` file:
+
+```yaml
+version: '2'
+
+services:
+  scheduled-backup:
+    image: creativeprojects/resticprofile:${RP_VERSION:-latest}
+    container_name: backup_container
+    hostname: backup_container
+    user: resticprofile:resticprofile
+    entrypoint: '/bin/sh'
+    command:
+      - '-c'
+      - 'resticprofile schedule --all && supercronic /resticprofile/crontab'
+    volumes:
+      - '${RP_CONFIG}:/resticprofile/profiles.yaml:ro'
+      - '${RP_KEYFILE}:/resticprofile/key:ro'
+      - '${BACKUP_SOURCE}:/source:ro'
+      - '${RP_REPOSITORY}:/restic_repo'
+    environment:
+      - TZ=${TIMEZONE:-Etc/UTC}
+
+```
+
+with the corresponding resticprofile configuration running a backup every 15 minutes:
+
+```yaml
+
+global:
+  scheduler: crontab:-:/resticprofile/crontab
+
+default:
+  password-file: key
+  repository: "local:/restic_repo"
+  initialize: true
+  backup:
+    source: /source
+    exclude-caches: true
+    one-file-system: true
+    schedule: "*:00,05,10,15,20,25,30,35,40,45,50,55"
+    schedule-permission: user
+    check-before: true
+
+```
+
+## More information
+
+[Discussion on Supercronic](https://github.com/creativeprojects/resticprofile/issues/288)
+
+[Discussion on non-root container](https://github.com/creativeprojects/resticprofile/issues/321)
+